Threat Actor Adds Advanced ‘EDR Killer’ Tools to Ransomware-as-a-Service Platform

The ransomware landscape has entered a new phase where service providers are not only selling encryption payloads but also the means to bypass the most common defensive layers. The Gentlemen group, known for its generous 90/10 revenue split, has capitalized on this trend by releasing "GentleKiller," a comprehensive EDR‑killer framework. By integrating both home‑grown and well‑known third‑party tools, the platform offers affiliates a plug‑and‑play solution that sidesteps the arduous task of developing custom evasion code, thereby widening the pool of potential attackers.

At the core of GentleKiller is a bring‑your‑own‑vulnerable‑driver (BYOVD) methodology. Attackers first obtain administrative credentials, then load legacy, vulnerable drivers into memory to elevate privileges to kernel level. From there, the framework can target and disable up to 400 processes across 48 different EDR products, effectively neutralizing the endpoint’s detection capabilities. This approach not only streamlines the intrusion workflow but also exploits the fact that many organizations still run outdated drivers for legitimate purposes, creating a blind spot that traditional security tools struggle to see.

Defenders must adapt by hardening the kernel environment and tightening driver controls. Implementing Hypervisor‑Protected Code Integrity (HVCI) and Kernel‑mode Code Integrity (KMCI) makes it harder for malicious drivers to load, while strict allow‑list policies and continuous driver audits reduce the attack surface. As ransomware operators continue to democratize sophisticated evasion techniques, enterprises that invest in layered, kernel‑aware defenses will be better positioned to mitigate the heightened risk.