How Gentlemen Ransomware’s EDR Killers Are Shifting the Attack Landscape

Cybersecurity teams have long relied on endpoint detection and response (EDR) platforms to spot and stop ransomware before it encrypts files. But a recent evolution in ransomware operations shows how attackers are systematically targeting these defenses themselves. The Gentlemen ransomware-as-a-service (RaaS) group is actively developing and deploying a suite of EDR-killing utilities designed to disable or evade security software before the ransomware payload is executed. This shift signals a broader trend: adversaries are no longer content to bypass controls; they are dismantling them at the kernel level.

The centerpiece of Gentlemen’s toolkit is GentleKiller, a custom EDR killer with at least eight documented variants. These variants do not just disable security processes—they impersonate legitimate software, including antivirus agents, gaming overlays, and monitoring tools such as Kaspersky, Valorant, Javelin, and WatchDog. By masquerading as trusted binaries, GentleKiller variants gain a foothold in the environment and elevate privileges using the “bring your own vulnerable driver” (BYOVD) technique. This approach allows attackers to load flawed or signed drivers to gain kernel-level access, which is then used to terminate security processes and disable EDR engines. Once defenses are silenced, the ransomware payload can proceed unimpeded, increasing the likelihood of a successful attack and higher ransom yields.

Analysis of the variants reveals a modular framework. Each version shares core code obfuscation techniques, process-killing logic, and targeting scope, but can swap vulnerable drivers on demand. This design allows the threat actor to rapidly adapt to new security updates or patching cycles by integrating recently disclosed driver vulnerabilities without rewriting the tool. The targeting scope is extensive: GentleKiller is engineered to neutralize processes associated with over 48 security vendors and products, including Microsoft, CrowdStrike, SentinelOne, Palo Alto Networks, Sophos, Trend Micro, ESET, Bitdefender, Trellix (formerly McAfee Enterprise), and Kaspersky. This breadth underscores a deliberate strategy to ensure compatibility across diverse enterprise environments.

Beyond the custom tool, the group maintains a collection of external EDR killers, including OxideHarvest, a Rust-based credential-stealing utility. These additional tools may be deployed for redundancy, to complicate attribution, or to handle scenarios where GentleKiller’s effectiveness is limited—such as when endpoint agents are running in protected memory or when kernel callbacks are hardened. The inclusion of third-party utilities suggests a mature operation that leverages multiple vectors to achieve its goals, increasing resilience against detection and response efforts.

The engineering behind GentleKiller is sophisticated. The binaries are protected using commercial packers like Enigma and Themida, which complicate reverse engineering and static analysis. Additionally, the operators have been observed using stolen or invalid digital signatures to lend an air of legitimacy to their payloads. While these signatures are ultimately invalid, their presence can delay detection and confuse automated systems that rely on certificate validation. This tactic highlights how attackers are blending technical sophistication with operational deception to evade defenses.

The implications for defenders are significant. Traditional EDR rules that rely on process termination alerts or signature-based detection are less effective when the attacker disables the EDR agent itself. Organizations that depend solely on endpoint monitoring may find themselves blindfolded during the critical early stages of an intrusion. Moreover, the BYOVD technique complicates remediation, as removing a vulnerable driver does not address the underlying compromise if the attacker retains persistence through other means. This underscores the need for layered defenses that include behavioral monitoring, network segmentation, and robust logging—capabilities that operate independently of the endpoint agent’s state.

Another concern is the reuse of code obfuscation patterns and targeting logic across variants. This consistency, while helpful for attribution, also enables defenders to develop generic detection rules and behavioral models that can flag new variants without waiting for updated signatures. Threat intelligence teams should monitor for common strings, process kill lists, and driver filenames associated with GentleKiller. Sharing these indicators through ISACs or vendor threat feeds can help organizations preemptively block known variants and reduce dwell time.

The use of Rust-based tools like OxideHarvest also signals a shift toward memory-safe languages in malware development. While Rust itself is not inherently secure, its adoption in malicious software suggests an attempt to reduce crash rates and improve stealth during lateral movement. Defenders should expect more malware families to adopt memory-safe languages, which may reduce traditional crash-based detection but also introduce new telemetry opportunities—such as unusual memory allocation patterns or network connections from Rust-compiled binaries.

For organizations, the rise of EDR killers like GentleKiller demands a rethinking of endpoint security architecture. Endpoint agents should not be the sole line of defense. Network detection and response (NDR) tools that monitor east-west traffic for anomalous behavior can detect ransomware activity even when the EDR agent is disabled. Similarly, application control solutions that enforce allow-listing can prevent unsigned or untrusted drivers from loading. Identity and access management (IAM) policies that restrict local administrative privileges can limit the attacker’s ability to deploy kernel drivers in the first place. These controls reduce the blast radius of BYOVD attacks and make it harder for adversaries to escalate privileges.

Incident response plans must also evolve. Teams should simulate EDR disablement scenarios during purple team exercises to test visibility gaps and response timelines. Automated playbooks should include steps for validating EDR agent health, isolating endpoints that lose telemetry, and conducting forensic analysis on systems where drivers were loaded. Logging should be centralized and immutable, with a focus on kernel events, driver loads, and process terminations—data points that persist even when the EDR agent is offline.

The broader cybersecurity community is responding. EDR vendors are enhancing kernel-level protection mechanisms, such as Microsoft’s Kernel-mode Hardware-enforced Stack Protection (KHSP) in Windows 11, which makes it harder for attackers to manipulate kernel stacks. However, this protection is not enabled by default and requires hardware and firmware support. Organizations should evaluate enabling KHSP where possible and assess compatibility with their endpoint agents. Similarly, virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI) can isolate critical components from tampering, though these features may introduce performance overhead and compatibility challenges.

Looking ahead, the proliferation of EDR killers is likely to continue. As ransomware groups professionalize, they are investing in tooling that directly counters the defenses designed to stop them. This creates a feedback loop: EDR vendors improve detection, attackers improve evasion, and defenders must adapt again. The result is a more complex threat landscape where static defenses are increasingly insufficient. Organizations that prioritize resilience—through redundancy, segmentation, and continuous validation—will be better positioned to withstand these attacks.

In the short term, defenders should audit their environments for signs of GentleKiller activity. Check for unsigned or suspicious drivers, unusual process terminations, or agents reporting loss of telemetry. Review logs for BYOVD patterns, such as driver filenames matching known vulnerable components. Update detection rules to flag Rust-based binaries that communicate with known C2 infrastructure. And critically, ensure that critical systems are segmented so that a single compromised endpoint does not lead to widespread encryption.

The Gentlemen ransomware operation is a case study in how ransomware is evolving from a blunt-force attack to a surgical strike. By disabling defenses before encryption, the group increases its chances of success and maximizes impact. For defenders, the message is clear: protecting endpoints is no longer enough. Security must be holistic, anticipatory, and resilient to the inevitable moment when the attacker targets the defender’s own tools.