The Gentlemen ransomware-as-a-service (RaaS) operation has been identified maintaining a comprehensive suite of endpoint detection and response (EDR) killing tools, branded internally as GentleKiller, which the group distributes to affiliates to disable security defenses prior to ransomware deployment.
Security researchers tracking the group have found that this mature toolset targets over 400 distinct security-related processes, representing one of the most extensive EDR evasion frameworks observed in active ransomware campaigns.
The GentleKiller EDR Evasion Framework
GentleKiller operates as a multi-stage EDR termination suite distributed to The Gentlemen affiliates as part of their RaaS package. Unlike simpler tools that rely on a handful of kill commands, this framework includes:
- Process enumeration and classification — systematically identifies running security software before termination
- Service manipulation — disables Windows services associated with endpoint security platforms
- Driver abuse — leverages vulnerable signed drivers (BYOVD technique) to terminate protected processes
- Registry persistence removal — strips auto-start entries for security tools to prevent recovery after reboot
- Shadow copy deletion — removes VSS snapshots to prevent data recovery post-encryption
The framework targets processes from major security vendors including CrowdStrike, SentinelOne, Carbon Black, Sophos, Trend Micro, ESET, Malwarebytes, and dozens of others across both consumer and enterprise categories.
Affiliate Distribution Model
The Gentlemen operate a structured affiliate program where GentleKiller is bundled with the encryptor payload as a pre-attack preparation toolkit. Affiliates receive:
- The GentleKiller executable suite
- A target process list updated by the core team
- Deployment guides for different operating environments
- Customer support through dark web infrastructure
This model reflects a broader trend in the RaaS ecosystem toward professionalizing anti-detection capabilities — treating EDR evasion as a distributed service rather than a per-affiliate challenge.
Why This Matters for Defenders
The systematic nature of GentleKiller poses a significant challenge to organizations relying primarily on endpoint-based detection. When an attacker can reliably kill EDR processes before deploying ransomware, the entire detection-and-response chain is severed at its most critical moment.
Security teams should consider layered defense strategies that do not depend on endpoint agents being active:
- Network-based anomaly detection — identify lateral movement and C2 communication before agents are killed
- Immutable logging — ensure security logs are shipped to remote SIEM systems that cannot be tampered with locally
- Tamper protection enforcement — modern EDR platforms offer kernel-level tamper protection that resists user-mode termination attempts
- Privileged access control — limit who can install or execute unsigned drivers, blocking the BYOVD vector
- Deception technology — honeypot processes that alert on enumeration before evasion occurs
The Gentlemen's Growing Infrastructure
The group has been linked to attacks against at least 478 victims globally, with a claimed ability for the ransomware to spread worm-like across networks. The GentleKiller framework is central to their operational doctrine, allowing affiliates with limited technical capability to effectively neutralize enterprise-grade security stacks.
Security researchers recommend organizations verify that tamper protection is enabled across all EDR deployments and that security event logs are being forwarded to remote, write-protected storage that local processes cannot modify or delete.