Gentlemen RaaS Deploys EDR Killers

Gentlemen ransomware-as-a-service (RaaS) has emerged with sophisticated tactics that leverage multiple Endpoint Detection and Response (EDR) killing tools to disable security software before encryption. The operation employs bring-your-own-vulnerable-driver (BYOVD) attacks and exploits legitimate utilities to terminate security processes, making it particularly dangerous for organizations relying solely on endpoint protection. This multi-layered approach to defense evasion represents a significant evolution in ransomware deployment methodologies.

Introduction

A newly identified ransomware operation dubbed “Gentlemen” is making waves in the cybercriminal underground by incorporating multiple EDR-killing capabilities into its attack chain. Unlike traditional ransomware that attempts to evade detection, Gentlemen takes a more aggressive approach by actively hunting and terminating security products before initiating file encryption. This strategy significantly increases the likelihood of successful ransomware deployment and reduces the window for security teams to respond.

The Gentlemen RaaS platform provides affiliates with a comprehensive toolkit that includes multiple EDR neutralization utilities, each targeting different security vendors and deployment scenarios. This redundancy ensures that even if one EDR-killing technique fails, attackers have backup methods to disable protective controls. The emergence of this capability as a commoditized service marks a concerning trend in the ransomware ecosystem.

Background & Context

EDR killers have existed for years, but their integration into ransomware-as-a-service platforms represents a significant shift in threat actor sophistication. Traditional EDR-killing tools like GMER, Process Hacker, and PCHunter have been documented in various attacks, but Gentlemen’s systematic deployment of multiple tools indicates a more mature operational approach.

The BYOVD technique exploits the Windows driver signing requirement by using legitimate, signed drivers that contain vulnerabilities. Attackers load these vulnerable drivers to gain kernel-level access, which allows them to terminate protected processes that normal user-mode applications cannot touch. Microsoft and other vendors have attempted to block known vulnerable drivers through driver blocklists, but threat actors continually discover new candidates.

Gentlemen RaaS appears to have launched within the past several months, though attribution and operator identities remain unclear. The service follows the typical RaaS business model, where core developers maintain the malware infrastructure while affiliates conduct attacks in exchange for a profit share. The inclusion of EDR-killing capabilities as a standard feature suggests the operators have significant technical expertise and access to tools previously reserved for more sophisticated threat groups.

Technical Breakdown

Gentlemen’s EDR-killing arsenal includes multiple utilities deployed in a specific sequence to maximize success rates. The attack chain typically begins after initial access and privilege escalation, immediately before ransomware payload execution.

Driver Exploitation Phase:

The malware first attempts to load vulnerable kernel drivers. Observed samples have utilized drivers from multiple vendors, including:

• RTCore64.sys (MSI Afterburner)
• gdrv.sys (Gigabyte)
• DBUtil_2_3.sys (Dell BIOS utility)

sc create VulnDriver binPath= C:\Windows\Temp\rtcore64.sys type= kernel
sc start VulnDriver

Once loaded, these drivers provide kernel-mode access that allows the malware to interact with protected memory regions and terminate processes running with anti-tampering protections.

Process Termination Sequence:

The malware maintains an extensive target list of security processes, including but not limited to:

• Endpoint detection and response agents
• Antivirus services
• Backup software
• Security monitoring tools
• Event logging services

Target processes include:
MsMpEng.exe (Windows Defender)
csfalconservice.exe (CrowdStrike)
mbamservice.exe (Malwarebytes)
SentinelAgent.exe (SentinelOne)
cyserver.exe (Cylance)

Redundancy Mechanisms:

If the BYOVD approach fails, Gentlemen deploys alternative techniques including:

• Service manipulation – Directly modifying service registry keys to set startup types to “Disabled”
• WMI-based termination – Using Windows Management Instrumentation to kill processes
• Boot configuration modifications – Altering safe mode settings to prevent security software from loading during recovery

Impact & Risk Assessment

Immediate Impact:

Organizations hit by Gentlemen ransomware face a significantly reduced detection and response window. With EDR solutions disabled, security teams lose visibility into the attack as it progresses, preventing automated response actions and manual intervention. This creates an environment where ransomware can encrypt files across entire networks before defenders even recognize an incident is occurring.

Data Loss and Business Disruption:

The effectiveness of the EDR-killing techniques means higher encryption success rates. Victims report encryption of critical systems including:

• Production file servers
• Database systems
• Backup repositories
• Domain controllers
• Virtualization hosts

Financial Consequences:

Ransom demands associated with Gentlemen attacks have ranged from $50,000 to $5 million depending on victim size and revenue. The disabled EDR also prevents early intervention that might limit the scope of encryption, typically resulting in more extensive damage and higher recovery costs.

Detection Difficulty:

The stealthy nature of kernel-mode attacks makes detection particularly challenging. Many organizations rely heavily on EDR as their primary security control, creating a single point of failure that Gentlemen specifically targets.

Vendor Response

Multiple security vendors have released updated detection signatures and behavioral analytics to identify Gentlemen’s EDR-killing activities:

Microsoft has added several of the observed vulnerable drivers to the Windows driver blocklist and enhanced Microsoft Defender’s tamper protection features to detect kernel-level termination attempts.

CrowdStrike issued a technical advisory warning customers about the threat and recommending enabling early-launch anti-malware (ELAM) drivers and custom indicators of attack (IOAs) focused on driver loading behaviors.

SentinelOne updated their behavioral AI models to detect the specific process termination patterns associated with the malware’s EDR-killing sequence.

Sophos published indicators of compromise and recommended implementing application control policies to prevent unauthorized driver installations.

Several vendors have also collaborated to share threat intelligence about Gentlemen’s infrastructure, payment wallets, and affiliate identifiers to improve collective defense capabilities.

Mitigations & Workarounds

Driver Control Policies:

Implement strict application control and driver signature requirements:

# Enable Windows Defender Application Control
Set-RuleOption -FilePath "C:\WDAC\Policy.xml" -Option 0

# Block vulnerable drivers via group policy
HKLM\SYSTEM\CurrentControlSet\Control\CI\Config\VulnerableDriverBlocklistEnable = 1

Layered Security Architecture:

Avoid single-point-of-failure security models by deploying:

• Network-based detection systems that EDR killers cannot reach
• Immutable logging to external SIEM solutions
• Hardware-isolated backup systems
• Network segmentation to contain lateral movement

Privilege Restriction:

Limit administrative access and driver installation capabilities:

# Restrict driver installation to specific administrators
secedit /configure /db secedit.sdb /cfg driver_restriction.inf

Tamper Protection:

Enable all available tamper protection features in endpoint security products and validate they cannot be disabled without multi-factor authentication.

Detection & Monitoring

Event Log Monitoring:

Monitor Windows Event Logs for suspicious driver loading activities:

Event ID 1033 - Code Integrity driver loading
Event ID 3033 - Code Integrity driver blocklist violation
Event ID 7045 - Service installation (System log)
Event ID 4697 - Service installation (Security log)

File System Monitoring:

Watch for vulnerable driver files appearing in unusual locations:

C:\Windows\Temp\*.sys
C:\ProgramData\*.sys
C:\Users\\AppData\Local\Temp\.sys

Process Monitoring:

Detect abnormal security service termination patterns through Sysmon or EDR telemetry that feeds external collection points:

  
    
      MsMpEng.exe
      csfalconservice.exe
    
  

Network Indicators:

Monitor for command-and-control communications and ransomware note hosting domains associated with Gentlemen infrastructure.

Best Practices

Organizations should implement comprehensive defense-in-depth strategies:

Architectural Resilience:

• Deploy security controls at network, host, and application layers
• Ensure critical security telemetry flows to immutable, off-system storage
• Implement network segmentation to prevent lateral movement

Access Control:

• Enforce principle of least privilege across all systems
• Require multi-factor authentication for administrative actions
• Regularly audit privileged access and driver installation permissions

Backup Integrity:

• Maintain air-gapped or immutable backups
• Test restoration procedures regularly
• Ensure backup systems are isolated from production networks

Incident Response Preparation:

• Develop and test ransomware-specific incident response playbooks
• Establish out-of-band communication channels
• Pre-position response tools on isolated systems

Vulnerability Management:

• Maintain current patch levels across all systems
• Prioritize updates for remote access and public-facing services
• Monitor Microsoft’s vulnerable driver blocklist and update accordingly

Key Takeaways

• Gentlemen RaaS represents an evolution in ransomware sophistication through systematic EDR neutralization
• Multiple EDR-killing tools provide redundancy that increases attack success rates
• BYOVD techniques exploit legitimate signed drivers to gain kernel-level access
• Single-layer security architectures create catastrophic single points of failure
• Organizations must implement defense-in-depth strategies with telemetry that survives EDR compromise
• Driver installation controls and vulnerable driver blocklists are critical preventive measures
• Network-based detection and immutable logging provide visibility when endpoint security fails

The emergence of Gentlemen as a RaaS platform democratizes previously sophisticated techniques, making EDR-killing capabilities available to lower-skilled affiliates. This trend will likely continue as other ransomware operations adopt similar approaches.

References

• Microsoft Security Response Center – Vulnerable Driver Blocklist
• MITRE ATT&CK T1562.001 – Impair Defenses: Disable or Modify Tools
• LOLBAS Project – Living Off The Land Binaries and Scripts
• CISA Alert AA23-XXX – Ransomware Awareness
• Vendor security advisories from CrowdStrike, SentinelOne, Sophos, and Microsoft
• Windows Driver Kit Documentation – Driver Signing Requirements

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/