Ransomware operations have long competed on speed and stealth. Over the past two years, one such group—The Gentlemen—has invested considerable engineering effort into building and maintaining a toolset specifically designed to neuter endpoint detection and response (EDR) systems before deploying encryption payloads. Understanding these techniques is crucial for infrastructure teams managing sensitive workloads or considering their hosting and security posture.
The GentleKiller Framework and EDR Targeting
The Gentlemen RaaS operation uses a framework called GentleKiller that targets approximately 400 distinct security processes across Windows systems. Rather than attempting generic privilege escalation or persistence, this approach focuses narrowly on identifying and terminating the sensors and agents that modern EDR solutions rely on for visibility.
EDR systems depend on lightweight kernel drivers and user-mode agents running continuously on endpoints. If those processes are killed or disabled before a ransomware payload executes, the encryption event occurs largely unobserved. GentleKiller appears to enumerate running processes, cross-reference them against a maintained list of known EDR vendors' process names, and terminate matches before the main attack proceeds.
What distinguishes this approach from older antivirus-killing scripts is the scale and maintenance burden. Supporting 400 targets implies the group is actively tracking product updates, new vendor releases, and process naming conventions. This is the work of a professional operation, not ad-hoc malware scripting.
Affiliate Model and Distribution
The Gentlemen distribute GentleKiller to their affiliate network—the downstream operators who carry out actual attacks under the RaaS banner. This model allows the core team to maintain and evolve the EDR-killing capability once, whilst affiliates benefit from updates without needing their own reverse-engineering teams.
In practical terms, an affiliate receives a toolkit that includes reconnaissance modules, credential dumpers, lateral movement scripts, and GentleKiller itself. The affiliate stages a compromise (via phishing, exploitation, or stolen credentials), runs the EDR killer, waits for confirmation of disablement, then executes the ransomware. The entire sequence can complete in hours, leaving minimal forensic evidence of the attack's intermediate stages.
Implications for Hosting and Infrastructure Operators
For organisations running dedicated servers, virtual private servers, or hybrid cloud environments, this capability raises several questions about defensive strategy.
First, relying solely on endpoint-based EDR without network-layer defences becomes riskier. If an attacker gains initial access to a single machine and successfully kills the EDR, the rest of the infrastructure is blind to that machine's behaviour. Network segmentation, flow analysis, and centralised logging become critical backups.
Second, EDR agent health monitoring is not optional. If an EDR process terminates unexpectedly—especially multiple security processes in sequence—that should trigger immediate alerting to a security operations centre, not silent failure. Many organisations deploy EDR but fail to monitor whether the EDR itself is still running.
Third, immutable logging and off-host data aggregation matter more than ever. Process termination events, file writes, and network connections should be forwarded to a centralised system that an attacker cannot access or modify from the compromised endpoint. Reports on The Gentlemen's evolving toolkit underscore that defenders must assume endpoint compromise and design accordingly.
Hardening Against EDR Killers
Some mitigations are technical. Running EDR agents with kernel-mode protection, using signed drivers, and restricting process termination via Windows Group Policy can slow attackers. However, determined adversaries with administrative credentials will eventually find ways around process-level protections.
More effective is operational segregation. Privileged operations—backups, domain administration, sensitive data access—should occur on machines with stricter endpoint controls and network isolation. Assuming that an attacker will eventually achieve code execution on a general-purpose machine, you build defences around the assumption that machine cannot be trusted.
Organisations with distributed infrastructure spread across multiple hosting providers or datacentres also benefit from architectural diversity. If one facility or provider experiences a ransomware event, clean recovery images and data are available elsewhere.
The Shifting Threat Landscape
The maturity and sophistication of RaaS operations reflects a commodification of ransomware attacks. What was once the province of elite criminal groups is now available as a franchise. The Gentlemen's investment in GentleKiller demonstrates that even the tools themselves are being refined and specialised as the ecosystem matures.
This is unlikely to be the final iteration. As organisations begin deploying more robust EDR implementations, as operating systems introduce new kernel protections, and as detection logic becomes more sophisticated, these RaaS groups will continue iterating. The arms race is ongoing, and defenders who treat EDR as a set-and-forget product will lose ground.
Infrastructure teams managing sensitive workloads—whether on dedicated servers, private cloud, or hybrid arrangements—should treat EDR killers as an existential threat to their security model. Endpoint defence remains important, but it cannot be the sole pillar. Comprehensive logging, network segmentation, assumption of breach, and rapid incident response are the foundations that make EDR valuable rather than a false sense of security.
