What Happened

A newly observed variant of the Gentlemen ransomware family has begun deploying multiple Endpoint Detection and Response (EDR) killer utilities in a coordinated pre-encryption phase, significantly raising the stakes for enterprise defenders. First identified in mid-June 2026, this variant chains together several publicly available and custom EDR termination tools to disable endpoint defenses from multiple vendors simultaneously before executing its encryption routine. Security researchers tracking the campaign report that the operators are deliberately targeting enterprises running layered endpoint protection stacks, seeking to blind security operations centres (SOCs) at the critical moment of attack.

How It Works

The Gentlemen ransomware variant employs a multi-stage kill chain that prioritises defence evasion above all else. Upon gaining initial access — typically through spear-phishing or exploitation of externally facing services — the attackers deploy a loader that retrieves and executes a bundle of EDR killer tools. The bundle includes:

• Backstab — a tool leveraging a signed, vulnerable Microsoft-signed driver (BYOVD technique) to terminate protected processes associated with Microsoft Defender for Endpoint.
• Terminator — a utility that abuses the Zemana AntiMalware driver to kill processes belonging to a broad range of EDR and AV products including CrowdStrike Falcon, SentinelOne, and Carbon Black.
• A new custom dropper — internally named “GentleKill” — which enumerates running security services and attempts to stop them via a combination of service control manager abuse, registry tampering, and WMI-based process termination.

These tools are deployed simultaneously rather than sequentially, ensuring that even if one EDR product detects and blocks one killer tool, the others may still succeed. Once endpoint defences are neutralised, the ransomware payload is dropped and executed, encrypting files with a combination of AES-256 and RSA-4096. The ransomware appends the .gentle extension and drops a ransom note named HOW_TO_RECOVER.txt in every affected directory.

The loader also performs reconnaissance to identify which EDR products are present before selecting the appropriate killer tools, demonstrating a level of pre-operation intelligence gathering that suggests the operators profile their targets before striking.

Impact

The simultaneous deployment of multiple EDR killer tools represents a meaningful escalation in ransomware defence-evasion tactics. Key impacts include:

• Defence evasion at scale: Organisations relying on a single EDR vendor — even those with tamper protection enabled — face an elevated risk of complete endpoint blindness during the attack window.
• SOC blind spots: With telemetry feeds severed, security analysts lose visibility into attacker lateral movement, data exfiltration, and encryption activity in real time.
• Extended dwell time: Victims may not discover the breach until ransom notes appear, giving attackers ample time to exfiltrate sensitive data for double-extortion leverage.
• Cross-platform risk: While the current campaign targets Windows environments, the modular loader architecture could be adapted for Linux and macOS EDR products in future iterations.

Detection

Organisations should look for the following indicators of Gentlemen ransomware activity targeting EDR products:

• Unexpected service termination events for security products (Event ID 7034/7036 in the Windows System log).
• Loading of known vulnerable drivers, particularly those associated with Zemana, Process Hacker, or other commonly abused BYOVD vectors (Sysmon Event ID 6 for driver loads).
• WMI activity executing process termination commands against security-related executables.
• Registry modifications under HKLM\SYSTEM\CurrentControlSet\Services targeting security service start types.
• Network connections to known Gentlemen C2 infrastructure (IOCs available from BleepingComputer’s reporting).
• Presence of files with the .gentle extension and HOW_TO_RECOVER.txt ransom notes.

Recommendations

• Verify EDR tamper protection: Ensure tamper protection features are enabled and configured to the highest level available from your EDR vendor. Regularly validate that these protections cannot be bypassed by known BYOVD techniques.
• Test resilience regularly: Conduct adversary simulation exercises that specifically mimic multi-tool EDR killer deployments. Tabletop exercises and purple-team engagements should include scenarios where endpoint telemetry is deliberately degraded.
• Implement network segmentation: Restrict lateral movement by segmenting critical assets from general user workstations. Zero-trust network architectures limit an attacker’s ability to move freely even if endpoint controls are compromised.
• Maintain offline backups: Follow the 3-2-1 backup rule (three copies, two different media, one offsite and offline). Immutable backup solutions that cannot be reached or altered from the production network are essential against modern ransomware operators.
• Deploy attack surface reduction rules: Block the loading of known vulnerable drivers via Windows Defender Application Control (WDAC) or AppLocker policies.
• Monitor for BYOVD indicators: Enable logging for driver load events and configure alerts for any unexpected or unsigned kernel driver loads in your environment.

References

• BleepingComputer — “Gentlemen Ransomware Deploys Multiple EDR Killers” (June 2026)