The Gentlemen ransomware-as-a-service (RaaS) operation has distinguished itself by actively developing a dedicated suite of endpoint detection and response (EDR) killer tools, giving affiliates a systematic way to blind security software before deploying their payload.
A RaaS That Invests in Evasion
Unlike many ransomware groups that rely on opportunistic or borrowed evasion techniques, Gentlemen maintains its own development pipeline for disabling endpoint defenses. Security researchers tracking the group have observed the gang continually refining and updating multiple EDR killers — tools purpose-built to terminate or crash security agents running on victim systems.
The approach reflects a broader trend in ransomware operations: treating defense evasion as a first-class capability rather than an afterthought. By deploying these killers before the encryptor runs, affiliates significantly reduce the chance that an endpoint security product can detect, quarantine, or alert on the malicious activity.
Multiple Tools, Multiple Techniques
Gentlemen's toolkit reportedly includes several distinct EDR killers, each targeting different security product categories or employing different evasion approaches. Techniques observed include:
- Bring Your Own Vulnerable Driver (BYOVD) — abusing legitimately signed but vulnerable kernel drivers to kill security processes from the kernel level, where most endpoint agents cannot defend themselves
- Process termination via Windows APIs — using native calls to forcibly stop EDR agent processes before they can generate alerts
- Service disruption — disabling or uninstalling security services to prevent them from restarting after a reboot
- Token impersonation — escalating privileges to terminate protected security processes that standard users cannot touch
The variety of approaches suggests the group tests different methods across victim environments and cycles killers in and out as security vendors patch or detect them.
Connection to Broader Campaign Activity
Gentlemen was first identified in 2023 and has since grown its affiliate count and victim tally substantially. The group claimed 478 victims as of mid-2026, making it one of the more active ransomware-as-a-service operations currently tracked. The gang has been observed using SystemBC for bot-powered relay infrastructure, adding another layer of operational security to its attacks.
Researchers also note the group's willingness to update its tooling rapidly — a sign of an organizationally mature criminal operation with dedicated development resources. When an EDR vendor updates detections to catch a specific killer, Gentlemen affiliates have been seen switching to alternative tools within days.
Why This Matters
The proliferation of EDR killer tooling across ransomware groups has become one of the most pressing challenges for enterprise defenders. Endpoint security products represent the last line of defense after network perimeter controls fail — and tools that can systematically disable them before an attack fully executes dramatically increase attacker dwell time and payload delivery success rates.
Organizations should consider:
- Multi-layer detection that does not rely solely on endpoint agents — network-based detection and SIEM correlation remain effective even when endpoint agents are disabled
- Protected mode and tamper protection features available in most modern EDR products, which make it significantly harder to kill agents without kernel-level access
- Vulnerable driver monitoring — BYOVD attacks require loading a vulnerable driver, which leaves detectable artifacts in Windows event logs and driver inventory
- Privileged access hardening — many EDR killer techniques require elevated privileges; limiting lateral movement and privilege escalation opportunities reduces attacker ability to reach the point where EDR killers can be deployed
Indicators and Recommendations
Security teams should review their EDR product configurations to ensure tamper protection is enabled and that agent self-defense features are active. Monitoring for unusual process termination events targeting security software — particularly involving calls from processes that do not normally interact with security tooling — can provide early warning of EDR killer activity.
Threat intelligence teams tracking Gentlemen can reference the group's escalating victim count and infrastructure patterns, which have been documented by multiple threat research organizations throughout 2025 and 2026.
Source: BleepingComputer