Hackers Weaponize GentleKiller to Bypass 400 Security Tools

A fresh ransomware operation is quietly handing affiliates a set of utilities that shut down hundreds of endpoint security products before the real attack begins. The move underscores how RaaS crews are shifting from simple encryption to full-spectrum evasion toolkits.

A Growing Arsenal of EDR Killers

Researchers tracking the group now known as The Gentlemen have documented a mature lineup of “EDR-killers” built around a framework called GentleKiller. The toolkit is designed to terminate more than 400 processes tied to endpoint detection and response suites—local agents, cloud connectors, and antivirus services alike. Affiliates receive these utilities alongside the ransomware payload, giving them a ready-made way to weaken defenses in a single click.

From RaaS to Full-Stack Sabotage

The emergence of GentleKiller highlights a maturation trend in the ransomware economy. Instead of relying solely on phishing or unpatched vulnerabilities, RaaS groups now offer turnkey solutions that combine reconnaissance, credential harvesting, and active defense circumvention. By bundling these utilities with the encryptor, The Gentlemen is effectively selling a complete intrusion package rather than a stand-alone malware strain.

What Comes Next

Security teams should expect similar toolkits to proliferate as long as RaaS operations remain profitable. Monitoring for unexpected process terminations and restricting administrative privileges remain the most immediate defenses, while layered monitoring can help detect the lateral movement that often precedes ransomware deployment.

---

Source: The Hacker News. AI-assisted editorial synthesis — TechnoExpress.