
The Gentlemen Ransomware With Custom EDR/AV Killers Scaling Faster to Attack Industries Worldwide
The global cybersecurity landscape is under siege from emerging threats that evolve at an alarming pace. Among these, a relatively new but remarkably aggressive player has captured the attention of security experts worldwide: The Gentlemen Ransomware. First identified in mid-2025, this sophisticated operation, tracked by Microsoft as Storm-2697, has rapidly escalated its attacks, distinguishing itself through custom EDR/AV killers and a human-operated Ransomware-as-a-Service (RaaS) model. In its initial year of independent operation, The Gentlemen claimed over 500 victims, signaling a significant and escalating danger to organizations across various industries.
The Genesis and Evolution of The Gentlemen Ransomware
The Gentlemen ransomware group did not emerge from a vacuum. Its origins trace back to a payment dispute within the established Qilin RaaS program in mid-2025. This internal strife led to an independent offshoot, and what followed was a rapid transformation into a full-spectrum, human-operated RaaS operation. This transition highlights a concerning trend in the ransomware ecosystem: disgruntled affiliates or internal conflicts within established groups can spawn new, even more aggressive threats. The group’s ability to quickly establish its infrastructure and operational capabilities demonstrates a high level of technical proficiency and organizational capacity.
Custom EDR/AV Killers: A Game-Changer in Evasion
One of the most defining and alarming characteristics of The Gentlemen ransomware is its deployment of custom EDR/AV killers. Traditional ransomware often relies on known obfuscation techniques or exploits to bypass security controls. However, The Gentlemen has taken a more targeted approach, developing bespoke tools specifically designed to detect and disable endpoint detection and response (EDR) and antivirus (AV) solutions. This strategy significantly enhances their stealth and success rate. By effectively blinding security software, they gain a critical window of opportunity to encrypt systems and exfiltrate data undetected. This sophisticated evasion tactic underscores the need for multi-layered security defenses that go beyond signature-based detection.
The Human Element: Sophistication and Adaptability
Unlike automated botnet-driven attacks, The Gentlemen operates as a human-operated RaaS. This means that after initial access is gained, human operators actively navigate compromised networks, escalate privileges, deploy their custom tools, and execute the encryption payload. This human involvement provides a level of adaptability and intelligence that automated attacks cannot match. Operators can:
- Identify critical systems and high-value data within a network.
- Adjust their attack methods based on the specific security posture of the target.
- Bypass complex network segmentation and access controls.
- Engage in negotiation tactics once the compromise is complete.
This hands-on approach allows The Gentlemen to maximize impact and extort higher ransoms, making them a formidable adversary.
Global Reach and Industry-Wide Impact
In just its first year, The Gentlemen ransomware has demonstrated an astonishing global reach, claiming over 500 victims across various industries. This widespread impact suggests a highly effective affiliate program and a broad targeting strategy. While specific industries weren’t detailed in the provided source, the sheer volume of attacks implies that organizations of all sizes and sectors are at risk. The rapid scaling of their operations from a nascent group to a major global threat in such a short period is a cause for significant concern for cybersecurity professionals and business leaders alike.
Remediation Actions and Proactive Defense Strategies
Given the advanced nature of The Gentlemen ransomware, a robust and multi-faceted defense strategy is paramount. Organizations must move beyond basic security hygiene and implement proactive measures to counter sophisticated threats like Storm-2697.
- Enhanced Endpoint Protection: While The Gentlemen uses EDR/AV killers, investing in advanced EDR solutions with behavioral analysis, threat hunting capabilities, and strong integrity monitoring is crucial. Regularly update and patch all endpoint security software.
- Strong Access Controls and Segmentation: Implement the principle of least privilege. Segment networks to limit lateral movement and contain potential breaches. Multi-factor authentication (MFA) should be enforced everywhere possible.
- Proactive Threat Hunting: Security teams should actively hunt for signs of compromise, looking beyond automated alerts. This includes monitoring for unusual network traffic, unauthorized process execution, and privilege escalation attempts.
- Regular Backups with Offline Storage: Maintain immutable, offline backups of critical data. Test backup restoration regularly to ensure data recoverability.
- Vulnerability Management: Continuously scan for and patch vulnerabilities. While The Gentlemen’s initial access methods weren’t fully detailed in the source, exploiting known vulnerabilities like CVE-2023-2825 (if applicable to a specific environment, for instance) is a common entry vector for many ransomware groups.
- Security Awareness Training: Educate employees about phishing, social engineering, and safe browsing practices, as initial access often begins with human error.
- Incident Response Plan: Develop and regularly drill a comprehensive incident response plan, including communication protocols, recovery procedures, and forensic analysis.
Tools for Detection and Mitigation
While no single tool can guarantee immunity, a layered approach using the right technologies can significantly bolster an organization’s defense against The Gentlemen ransomware and similar threats.
| Tool Name | Purpose | Link |
|---|---|---|
| Sophos Intercept X | Advanced EDR with anti-ransomware and exploit prevention | https://www.sophos.com/en-us/products/intercept-x |
| CrowdStrike Falcon Insight | Cloud-native EDR with threat intelligence and threat hunting | https://www.crowdstrike.com/products/endpoint-security/falcon-insight-edr/ |
| Microsoft Defender for Endpoint | Comprehensive endpoint security platform, integrated with Windows OS | https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-for-endpoint |
| Varonis Data Security Platform | Data governance and behavioral analytics for identifying data exfiltration | https://www.varonis.com/products/data-security-platform |
| Nessus Professional | Vulnerability scanner for identifying and prioritizing weaknesses | https://www.tenable.com/products/nessus/nessus-professional |
Conclusion
The rapid emergence and evolution of The Gentlemen ransomware, tracked as Storm-2697, serve as a stark reminder of the dynamic and escalating challenges in cybersecurity. Its unique ability to deploy custom EDR/AV killers and its human-operated RaaS model make it a particularly dangerous threat. Organizations globally must recognize the sophisticated nature of such attacks and respond with a comprehensive and proactive defense posture. Investing in advanced endpoint protection, strong access controls, continuous vulnerability management, and robust incident response planning is no longer optional; it is essential for resilience against these rapidly scaling global threats.


