Wednesday, June 24, 2026AboutContactDisclaimerAdvertiseNewsletterWrite for Us
Subscribe Free
Home
LIVE
Back to Home
Gentlemen ransomware uses multiple EDR killers to disable defenses
Cybersecurity
AI-assisted

Gentlemen ransomware uses multiple EDR killers to disable defenses

T
Techpivo News
·1 min read·3 views
This article was produced with the assistance of AI technology (gemini-grounded). It has been reviewed and edited by our editorial team to ensure accuracy and quality.
Gentlemen ransomware uses multiple EDR killers to disable defenses By Bill Toulas June 18, 2026 06:31 PM 0 The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks. The gang employs a collection of EDR-killing tools, most notably a utility that researchers dubbed GentleKiller. The tool has at least eight variants and impersonates various legitimate security products, including Kaspersky, Valorant, Javelin, and WatchDog. The gang is using a suite of EDR killers, the most frequently used being a custom tool that researchers named GentleKiller, which has at least eight variants impersonating various legitimate products. An EDR killer is typically used to disable defenses in the early phases of an attack, and in ransomware incidents, they ensure that data theft or encryption processes run unencumbered. These tools work by leveraging the 'bring your own vulnerable driver' (BYOVD) technique to elevate privileges and disable security engines. According to ESET researchers , each GentleKiller variant uses different vulnerable drivers to achieve kernel-level privileges. However, they all share common strings, identical code obfuscation techniques, and similar process-killing logic and targeting scope. The analysis of the variants indicates that the framework is designed to allow easy driver swaps or weaponization of newly disclosed flaws without requiring major code changes. Variant names and drivers used Source: ESET ESET states that GentleKiller targets more than 400 processes associated with approximately 48 security vendors/products, such as Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky. GentleKiller process Source: ESET The binaries for the EDR killer tool are protected by the commercial Enigma and Themida packing and code-protection tools. ESET notes that the threat
T
View Profile

Related Articles

OpenAI Expands Daybreak With GPT-5.5-Cyber to Help Defenders Patch Security Flaws

Jun 23, 2026·1 min read

AryStinger botnet infected thousands of D-Link routers worldwide

Jun 21, 2026·1 min read

Gravity SMTP Plugin Vulnerability Exposes API Keys on 100,000 WordPress Sites

Jun 20, 2026·1 min read

Comments

We use cookies and similar technologies to improve your experience, analyze traffic, and personalize content. By clicking “Accept All”, you consent to our use of cookies. See our Cookies Policy for details.