Visual representation of Gentlemen ransomware employing EDR killer techniques to bypass security measures. (Illustrative AI-generated image).
- What is the Gentlemen Ransomware?
- How the EDR Killers Work
- The Scale of the Threat: Over 400 Processes Targeted
- Beyond Endpoints: Using Microsoft Teams and Proxies
- Who is at Risk?
A new ransomware tool can disable nearly every major antivirus and endpoint security product on the market. That is not an exaggeration. The tool, developed by a ransomware group called Gentlemen, can shut down the very software that is supposed to stop it. For businesses, this is a serious problem. Your best defenses might suddenly go silent. And then the attackers can move in.
Think of it like a thief who carries a master key that opens every lock in a building. Once the thief disables the locks, they can walk through any door. That is what this ransomware does. It targets the security software on a computer and turns it off. Then it encrypts files and demands payment. The group behind this is called Gentlemen. They run a ransomware-as-a-service (RaaS) operation. That means they sell or rent their ransomware and tools to other criminals, called affiliates. Those affiliates carry out the actual attacks. And now those affiliates have a powerful new weapon: a suite of tools designed to kill endpoint detection and response (EDR) systems.
EDR is a type of security software that watches for suspicious activity on computers and networks. It is like a security guard that never sleeps. Many companies rely on EDR to catch malware before it can cause damage. But the Gentlemen group has built tools that can stop that guard. One of their tools, called GentleKiller, can target more than 400 different security processes. Those processes belong to 48 different security products. That includes many of the biggest names in antivirus and EDR software. If you are running one of those products, this tool might be able to shut it down.
What is the Gentlemen Ransomware?
Gentlemen is not a household name like some other ransomware groups. But it is becoming more dangerous. The group operates as a ransomware-as-a-service. That means they develop the ransomware and the tools to deliver it. Then they recruit affiliates to do the dirty work. Affiliates get a cut of the ransom payments. This model has made ransomware a booming business for criminals. It allows groups like Gentlemen to focus on improving their technology while affiliates focus on breaking into companies.
The Gentlemen group stands out because they invest heavily in evasion. Most ransomware groups try to sneak past security software. They use tricks like obfuscation or delayed execution. But Gentlemen takes a more direct approach. They try to knock out the security software entirely. That is where the EDR killers come in. These are specialized programs that look for running security processes and terminate them. They can also delete or corrupt security-related files and registry keys. Once the security software is gone, the ransomware can run freely.
Security researchers from multiple companies have studied the Gentlemen group. Reports from BleepingComputer, WeLiveSecurity, Check Point Research, and Help Net Security all describe the same basic finding: Gentlemen maintains a suite of EDR-killing tools. One of those tools is GentleKiller. It is modular, meaning it can be updated to target new security products. The group also uses other tricks to hide their activities, such as abusing Microsoft Teams relays and using a proxy tool called SystemBC.
How the EDR Killers Work
To understand how these EDR killers work, you need to know a little about how security software runs. EDR products install services and drivers on a computer. Those services run in the background, scanning for threats. They also have processes that are visible to the operating system. An EDR killer is a program that finds those processes and forces them to stop. It is like pulling the plug on a security camera.
Gentlemen’s EDR killers do this in a sophisticated way. They first scan the system for known security processes. They have a list of process names from many different products. When they find a match, they try to terminate it. They may also try to delete the security software’s files or corrupt its configuration. Some EDR killers use techniques like loading a malicious driver that can bypass Windows protections. Others exploit vulnerabilities in the security software itself. The goal is always the same: make the security software stop working.
What makes Gentlemen’s tools especially dangerous is that they are maintained and updated. Security vendors constantly update their products to block these kinds of attacks. But the Gentlemen group responds by updating their killers. It is an arms race. And right now, the criminals are winning in many cases. The tools are sold or given to affiliates as part of the RaaS package. So even a less skilled attacker can use them.
The GentleKiller tool, in particular, is a standout. According to reports, it targets more than 400 security processes across 48 different security products. That is an enormous list. It covers most of the major EDR and antivirus vendors. If you are running one of those products, there is a good chance this tool knows how to shut it down. The list includes both consumer and enterprise products. So home users are not safe either, but the main targets are businesses.
The Scale of the Threat: Over 400 Processes Targeted
Let us put that number in perspective. Four hundred different security processes. That means the tool has a database of what to look for on a victim’s computer. It checks for processes like antivirus scanners, firewall modules, and EDR agents. When it finds one, it tries to kill it. The tool is designed to be thorough. It does not just stop at one or two products. It goes after everything it can find.
The 48 products targeted include many well-known names. While the exact list is not public, it likely includes products from companies like Microsoft, CrowdStrike, SentinelOne, McAfee, Norton, and others. Any company using endpoint security should assume their product might be on that list. The tool is not perfect. Some security products have protections against being terminated. But the Gentlemen group is constantly updating their tool to find new ways around those protections.
This scale is unprecedented in the ransomware world. Other groups have used EDR killers before, but usually targeting a small number of products. Gentlemen has made it a core part of their strategy. They have built a dedicated team to develop and maintain these tools. That shows a level of organization and investment that is worrying for defenders.
The impact on a business can be devastating. When the EDR killer runs, the security software stops reporting. Alerts do not go out. Logs may not be recorded. The attackers then have a window of time to deploy the ransomware. They can move laterally across the network, steal data, and encrypt files without anyone noticing. By the time the security software comes back online, it is too late. The damage is done.
Beyond Endpoints: Using Microsoft Teams and Proxies
Gentlemen does not rely only on EDR killers. They also use other techniques to hide their activity. One of those techniques is abusing Microsoft Teams relays. Microsoft Teams is a communication tool used by many businesses. It allows users to send messages and make calls. But it can also be used to relay network traffic. The Gentlemen group has found a way to hide their malicious traffic inside Teams traffic. This makes it harder for network security tools to spot the attack.
Think of it like hiding a letter inside a normal envelope. The network sees Teams traffic and assumes it is legitimate. But inside that traffic, the attackers are sending commands or exfiltrating data. This technique is called living off the land. It uses trusted services to avoid detection. Microsoft Teams is just one example. The group may also abuse other cloud services.
In addition to Teams, the group uses a proxy tool called SystemBC. A proxy is a middleman that hides the true source of network traffic. SystemBC is a known tool used by several ransomware groups. It creates a encrypted tunnel between the victim’s network and the attacker’s command-and-control servers. This makes it hard for investigators to trace the attack back to its source. Check Point Research linked Gentlemen to SystemBC, suggesting that the group has a broader infrastructure for evading network monitoring.
So the attack chain looks like this: First, the affiliate breaks into the network. Then they deploy the EDR killer to disable security software. Then they use tools like SystemBC and Teams relays to move around undetected. Finally, they deploy the ransomware. This multi-layered approach makes Gentlemen attacks particularly hard to stop.
Who is at Risk?
Any organization that uses endpoint security is at risk. But some sectors are more likely targets. The research suggests that Gentlemen primarily targets organizations with robust security. That includes finance, healthcare, and critical infrastructure. These sectors have valuable data and often pay ransoms to get it back. Attackers know this. They also know these organizations invest in EDR products. So they have a strong incentive to develop tools that can bypass those products.
Small and medium businesses are also at risk. They may have less sophisticated security teams. If their EDR product is on the target list, they could be hit just as hard. And because Gentlemen operates as a RaaS, even low-skill attackers can use these tools. That means more attacks, not just from Gentlemen themselves but from anyone who rents their platform.
The attacks are not limited to any specific region. Ransomware is a global problem. However, English-speaking countries like the United States, Canada, the UK, and Australia are common targets. That is partly because they have many businesses that can afford to pay ransoms. But any company connected to the internet is a potential victim.
What This Means for the Future of Ransomware
The development of EDR killers by Gentlemen is a sign of a larger trend. Ransomware groups are getting more sophisticated. They are no longer just sending spam emails with attachments. They are investing in research and development. They are building tools that can defeat the latest security products. This is an escalation in the cat-and-mouse game between defenders and attackers.
Other ransomware groups are likely to follow suit. If Gentlemen’s tools prove effective, other groups will want similar capabilities. Some may copy the techniques. Others may buy or rent the tools from Gentlemen. The RaaS model makes this easy. We may see a marketplace for EDR killers emerge, just as there is a marketplace for ransomware code itself.
This also puts pressure on security vendors. They need to find new ways to protect their products from being killed. Some are already building self-defense mechanisms. For example, they can use kernel-level protections that are harder to bypass. They can also use behavior monitoring that does not rely on a single process. But these defenses are not foolproof. The arms race will continue.
For businesses, the message is clear: Do not rely on a single layer of defense. EDR is important, but it is not enough. You need a defense-in-depth strategy. That means using multiple security tools that overlap. If one fails, another can catch the threat. It also means monitoring for signs of EDR killers. Look for sudden stops in security processes. Watch for unusual network traffic, especially to Microsoft Teams or other cloud services. And have a plan for what to do if your EDR goes offline.
How to Defend Against EDR Killers
Defending against EDR killers is not easy, but there are steps you can take. First, keep your security software up to date. Vendors release patches to fix vulnerabilities that EDR killers exploit. Make sure those patches are applied quickly. Second, use security products that have self-defense features. Some EDR products can detect when someone tries to terminate them and alert the security team.
Third, monitor for indicators of compromise. While the research did not provide specific file names or hashes, you can look for unusual behavior. For example, a sudden spike in process terminations. Or a service that stops running without explanation. Security information and event management (SIEM) tools can help correlate these events. Fourth, use network segmentation. If an attacker compromises one part of the network, they should not be able to reach all systems. This limits the damage.
Fifth, train your employees. Many ransomware attacks start with a phishing email. If employees know how to spot suspicious messages, they can help prevent the initial breach. Sixth, have offline backups. If the ransomware does encrypt your files, you can restore from backups without paying. Make sure backups are stored offline or in a separate network that attackers cannot reach.
Finally, consider using endpoint detection that does not rely solely on processes. Some next-generation antivirus products use machine learning and behavioral analysis. They can detect threats even if their own process is killed. Also, consider deploying additional monitoring tools like network detection and response (NDR). These can spot malicious traffic even if the endpoint is compromised.
The Gentlemen ransomware group shows that the threat is real and growing. Their EDR killers are a powerful weapon. But with the right defenses, organizations can reduce their risk. Stay vigilant, update your systems, and do not put all your trust in a single security product. The attackers are innovating. Defenders must innovate too.
Frequently Asked Questions
What is the Gentlemen Ransomware?
Gentlemen Ransomware is a new tool developed by a group called Gentlemen. It is designed to disable security software on computers. The group operates a ransomware-as-a-service model, selling their tools to other criminals.
How does this ransomware disable security software?
Gentlemen Ransomware uses tools called EDR killers. These tools find and terminate security processes running on a computer. They can also delete or corrupt security-related files, effectively shutting down defenses.
What is EDR and why is it important?
EDR stands for Endpoint Detection and Response. It is a type of security software that monitors computers and networks for suspicious activity. EDR acts like a security guard, aiming to catch malware before it can cause harm.
How many security products can the GentleKiller tool disable?
The GentleKiller tool can target over 400 different security processes. These processes belong to approximately 48 different security products, including many major antivirus and EDR solutions.
Who is behind the Gentlemen Ransomware?
The ransomware is developed by a group called Gentlemen. They operate a ransomware-as-a-service (RaaS) business, where they provide their tools to other criminals known as affiliates who carry out the actual attacks.
Are only businesses targeted by this ransomware?
While businesses are the main targets, the Gentlemen Ransomware and its tools can affect both consumer and enterprise products. This means home users are also potentially at risk.
Why is this ransomware considered particularly dangerous?
This ransomware is dangerous because it directly attacks and disables the security software meant to protect systems. The Gentlemen group actively updates their tools to overcome security vendor defenses, creating an ongoing challenge.
