Gentlemen Ransomware Gang Develops Custom EDR Killer Targeting 48 Security Products
The Gentlemen ransomware-as-a-service gang has developed a custom tool called GentleKiller that disables over 400 security processes across 48 endpoint detection and response products, a leaked internal chat reveals.
The Gentlemen ransomware-as-a-service (RaaS) gang has developed and maintains a custom tool called GentleKiller that targets over 400 security processes across 48 endpoint detection and response (EDR) products, according to research published by ESET. Unlike typical ransomware operations that leave the task of disabling endpoint security to their affiliates, Gentlemen supplies this tool directly to affiliates to disable defenses before deploying encryptors.
An internal data leak from the group in May 2026 confirmed the arrangement and exposed the gang's leader discussing the tool's distribution. The leak, which ESET analyzed, revealed that Gentlemen operates a different business model from most RaaS groups: instead of just providing encryptors and payment infrastructure, they actively develop and maintain a suite of tools specifically designed to shut down EDR products.
GentleKiller works by targeting security processes across a wide range of products from major vendors including Microsoft, CrowdStrike, SentinelOne, Palo Alto Networks, and others. The tool can terminate or disable over 400 distinct security processes, effectively stripping victims of their endpoint protection before the ransomware encryption phase begins. This approach significantly increases the likelihood of successful encryption and extortion.
The discovery highlights a growing trend in the ransomware ecosystem where sophisticated groups are investing in custom tooling to bypass modern defenses. While many RaaS operations rely on publicly available tools or leave EDR evasion to affiliates, Gentlemen's centralized development of GentleKiller represents a more coordinated and effective approach to disabling security controls.
ESET's analysis indicates that Gentlemen has been active since at least early 2025 and has claimed responsibility for several high-profile attacks. The group's encryptor is rented out to affiliates on a profit-sharing basis, but the GentleKiller tool is provided as a value-added service to ensure affiliates can successfully deploy the ransomware without interference from endpoint security products.
The internal leak also revealed that the gang's leader, who uses the alias "Gentleman," has been actively discussing improvements to GentleKiller and its distribution to affiliates. The tool is regularly updated to include new security processes and products, suggesting ongoing development and a commitment to maintaining its effectiveness against evolving defenses.
Organizations are advised to implement defense-in-depth strategies that include network segmentation, application whitelisting, and behavioral detection to complement traditional EDR solutions. While GentleKiller is designed to disable EDR products, layered defenses can still detect and block ransomware activity through other means, such as monitoring for unusual process terminations or file encryption patterns.
ESET's new research, published June 18, 2026, reveals that the Gentlemen gang has standardized EDR killing by supplying affiliates with a unified suite of tools — including the in-house GentleKiller (eight variants targeting over 400 processes) and third-party tools HexKiller, ThrottleBlood, and HavocKiller. The group's centralized approach, which takes only a 10% affiliate cut versus the industry-standard 20%, allows it to rapidly incorporate newly disclosed vulnerable drivers within days of a proof-of-concept being published, accelerating its growth across Southeast Asia, South America, and Western Europe.