Bright Nexus

Published on June 20, 2026

The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes

Severity
Medium 

Detail

The Gentlemen ransomware-as-a-service group has been observed using a dedicated EDR-killing framework known as GentleKiller to disable endpoint security tools before deploying ransomware. The framework targets more than 400 security-related processes from 48 different security products, including antivirus, EDR, monitoring, and endpoint protection solutions. The group provides these tools to its affiliates, making it easier for attackers to weaken defenses before encryption. The operation also uses other EDR-killing tools such as HexKiller, ThrottleBlood, and HavocKiller, along with a credential stealer known as OxideHarvest.

How?

GentleKiller uses a technique known as Bring Your Own Vulnerable Driver, or BYOVD. In this method, attackers bring a legitimate but vulnerable driver into the victim system and abuse it to gain high-level access to the operating system. Because drivers operate at a privileged level, they can be used to interfere with security software that normal user-level malware cannot easily stop.

Once executed, GentleKiller looks for running processes related to antivirus, EDR, and other security tools. It then attempts to terminate or disable those processes so the ransomware can run with less detection and interruption. The tool also uses evasion techniques such as fake filenames, copied icons, fake version information, and packed binaries to make itself look like legitimate security or software components.

After security defenses are weakened, the attackers can proceed with credential theft, lateral movement, data theft, and ransomware deployment. This makes the attack more dangerous because the victim’s monitoring and response tools may be disabled before the main ransomware payload is launched.

Recommendation

To reduce the risk, the following actions are recommended:

  • Enable tamper protection on antivirus and EDR solutions.
  • Block known vulnerable drivers using driver blocklists or application control.
  • Monitor for unexpected security process termination.
  • Limit local administrator privileges on endpoints and servers.
  • Keep endpoint protection, Windows, and drivers updated.
  • Investigate unusual driver loading activity.
  • Maintain secure offline backups for ransomware recovery.

Source

https://thehackernews.com/2026/06/the-gentlemen-raas-uses-gentlekiller.html