Threat actor adds advanced ‘EDR killer’ tools to ransomware-as-a-service platform

Traditional EDR defense is under threat after a criminal group added a sophisticated capability to shut it down, warns ESET.

One of the world’s top ransomware groups has given its criminal affiliates access to advanced tools capable of successfully disabling many of today’s enterprise endpoint detection and response (EDR) products, new research by security company ESET has found.

The group in question is The Gentlemen, which, since its appearance last year using this moniker, has become one of the most successful ransomware-as-a-service (RaaS) platforms thanks to a business model that gives affiliates an unusually generous 90/10 revenue split.

In May, the group’s servers were breached by an unknown attacker, who posted materials subsequently analyzed by researchers to uncover deeper insights into the group’s operation.

One tactic that ESET thinks hasn’t had the attention it deserves is the growing importance of ‘EDR killers’ in the estimated 300 ransomware attacks carried out via The Gentlemen platform.

EDR killers, tools which attempt to bypass or disable PC and server endpoint security agents during a cyberattack, are not new, but have gradually increased in number and sophistication. However, the barrier to using them in a ransomware context is that an affiliate still needs to develop or source their own EDR killer tool, a major undertaking given the large number of EDR products in use by defenders.

The leak confirmed ESET’s suspicion that The Gentlemen had developed its own EDR killer framework, dubbed ‘GentleKiller’, which gives affiliates access to a wide range of sophisticated EDR killer routines without having to any of the work themselves. The Gentlemen also integrates well-known third party tools such as HexKiller, ThrottleBlood, and HavocKiller.

Bring your own vulnerable driver

According to ESET researcher Jakub Souček, the effect of this has been to democratize EDR killing capabilities, which have become essential to evading enterprise defenses.

“By providing such tools for affiliates, they lower the entry barrier for less skilled affiliates, who, on top of the encryptor, also receive everything they need to perform intrusions. This naturally expands the affiliate pool and enables consistent encryptor deployment,” Souček said via email.

Across a total of eight variants, a central element of the framework was the ability to quickly deploy new bring your own vulnerable driver (BYOVD) proofs-of-concept used to gain kernel-level privileges after loading a vulnerable driver into memory. The technology was bundled with evasions for 400 EDR processes from 48 different vendors.

The principle behind BYOVD is simple enough: once an attacker has gained admin privileges through an account takeover, they load a legitimate, but old and vulnerable vendor driver, inside which lies an exploitable vulnerability. This extends the power of admin control to kernel level, allowing them to target the EDR drivers in a direct way.

EDR tools’ vulnerability to a newer generation of evasion techniques has been known for some time; a 2024 study by security company Trellix highlighted this weakness, and earlier this year, another security vendor, Huntress, reported a recent case in which BYOVD had been used to load and target a vulnerable old driver to shut down EDR defenses.

“The biggest defense obstacle is the fact that EDR killers rely on vulnerable non-malicious drivers that are often still used legitimately,” noted Souček.

To defend against this, enterprises should enforce protections such as Hypervisor-Protected Code Integrity (HVCI) and Kernel-mode Code Integrity (KMCI), which make it more difficult for old or unsafe drivers to be loaded, he said.

According to Souček, “companies should also enforce strict allow and block driver policies, including via custom rules that fit their organization, continuously audit and remove unnecessary drivers, and ensure vulnerable drivers are updated or eliminated. Preventing the installation of such drivers renders the EDR killer benign.”