Listen to this Post
Introduction: A Dangerous Evolution in the Ransomware Industry
The ransomware ecosystem has entered a new phase. Attackers are no longer relying solely on encryption and extortion. Instead, they are investing heavily in pre-attack technologies designed to neutralize security defenses before victims even realize they are under attack.
A newly uncovered framework known as GentleKiller demonstrates how sophisticated modern ransomware operations have become. According to security researchers at ESET, the ransomware group known as The Gentlemen has developed a powerful collection of tools capable of disabling endpoint protection products from dozens of major cybersecurity vendors. By eliminating security software before launching encryption routines, attackers dramatically increase their chances of success while reducing opportunities for detection and response.
The discovery highlights a growing trend in cybercrime where ransomware groups are operating more like professional software companies, building, maintaining, and distributing specialized offensive tools to affiliates worldwide.
ESET Uncovers the GentleKiller Framework
Security researchers at ESET recently analyzed a sophisticated endpoint detection and response (EDR) killing framework used by The Gentlemen ransomware operation.
The framework, named GentleKiller, was specifically designed to disable endpoint protection solutions before ransomware deployment begins. Researchers discovered that the toolkit targets more than 400 individual processes associated with approximately 48 different security products.
Among the targeted solutions are products from Microsoft Defender, CrowdStrike, Sophos, and even ESET itself. Instead of attempting to bypass these tools through traditional methods, GentleKiller attacks them directly at the kernel level, effectively shutting them down before they can react to malicious activity.
This approach gives ransomware operators a critical advantage. Once security software is disabled, attackers can move laterally, deploy payloads, and encrypt systems with significantly reduced risk of interruption.
The Power Behind the Attack: BYOVD
One of the most concerning aspects of GentleKiller is its reliance on a technique known as Bring Your Own Vulnerable Driver (BYOVD).
This strategy exploits legitimately signed drivers that contain known security weaknesses. Since the drivers are digitally signed and trusted by operating systems, they are allowed to load into the kernel with elevated privileges.
After loading a vulnerable driver, attackers abuse its flaws to terminate security software directly from kernel space. Because these actions occur below the operating system’s normal security monitoring layers, traditional protections often struggle to stop them.
In essence, attackers are weaponizing trusted software components against the very systems designed to protect users.
Multiple Variants Designed for Evasion
ESET researchers identified at least eight separate variants of GentleKiller.
Each version masquerades as a different legitimate application or security product. Names were borrowed from well-known software and gaming platforms, including Valorant, FACEIT, and Kaspersky-related branding.
The deception does not stop there.
The binaries contain forged version information, invalid but convincing-looking digital signatures, and authentic-looking vendor icons. Many samples are additionally protected with commercial software packers that make reverse engineering and malware analysis significantly more difficult.
These layers of disguise help the malware blend into legitimate system activity, increasing the likelihood that administrators and automated defenses will overlook it.
More Than One Tool: A Complete EDR-Killing Arsenal
What makes The Gentlemen operation especially noteworthy is that it does not provide affiliates with a single utility. Instead, it maintains an entire portfolio of EDR-disabling tools.
Researchers identified several major components:
GentleKiller
The flagship framework developed internally by The Gentlemen. Multiple variants exist, each leveraging different vulnerable drivers and evasion methods.
HexKiller
A previously known tool associated with the Warlock ransomware ecosystem that has been incorporated into The Gentlemen toolkit.
ThrottleBlood
A utility previously observed in attacks linked to MedusaLocker and DragonForce operations.
HavocKiller
An EDR killer that abuses a vulnerable Huawei audio driver to gain kernel-level capabilities.
What is particularly alarming is that all of these tools have reportedly been re-engineered to share a common evasion framework, creating consistency across the ransomware group’s operational toolkit.
Rapid Development Cycles Give Attackers an Edge
Historically, cybercriminal groups often relied on publicly available malware or tools developed by independent affiliates.
The Gentlemen appears to operate differently.
According to ESET’s findings, the group’s core operators actively maintain and update their EDR-killing frameworks themselves. Researchers observed that newly disclosed vulnerable drivers could be incorporated into fresh GentleKiller variants within days of becoming public knowledge.
This rapid development cycle mirrors practices seen in legitimate software development organizations, where vulnerabilities, updates, and feature releases are quickly integrated into production environments.
For defenders, this means security teams may have little time to react before new attack techniques begin appearing in real-world incidents.
The Rise of The Gentlemen Ransomware Operation
The Gentlemen first emerged toward the end of 2025 and is believed to have been founded by a former affiliate of the Qilin ransomware ecosystem.
The group quickly attracted attention by offering affiliates an unusually generous 90 percent revenue share, one of the highest profit splits observed in the ransomware-as-a-service market.
This aggressive recruitment strategy appears to have paid off. The operation rapidly expanded and attracted experienced cybercriminals looking for higher profits and professionally maintained tooling.
A data leak in May reportedly provided further confirmation that the group’s leadership was directly involved in developing and maintaining the EDR-killer infrastructure supplied to affiliates.
Global Targeting Strategy
Unlike many ransomware organizations that heavily prioritize North American targets, The Gentlemen has adopted a broader geographical approach.
Researchers observed attacks and victim selection activities spanning:
Southeast Asia
South America
Western Europe
The group reportedly identifies potential targets by scanning for exposed FortiGate deployments and vulnerable internet-facing infrastructure.
This strategy allows attackers to cast a wide net while focusing on organizations that present attractive entry points.
Why Security Teams Should Pay Attention
GentleKiller represents more than just another malware family.
It demonstrates how ransomware groups are increasingly focusing on defense destruction rather than defense evasion. Instead of sneaking around security products, attackers are now attempting to remove them entirely.
This shift changes the defensive landscape significantly.
Organizations can no longer assume that endpoint protection alone will provide adequate protection. Security strategies must now include driver control policies, kernel-level monitoring, privileged process protection, and rapid incident response procedures.
Blocking known vulnerable drivers and generating alerts whenever protected security services are unexpectedly terminated have become essential defensive measures.
Deep Analysis: Defensive Linux, Windows, and Enterprise Detection Commands
Modern organizations should continuously monitor for vulnerable driver abuse and suspicious process termination activity.
Linux Monitoring
dmesg | grep -i driver lsmod modinfo <driver_name> journalctl -k auditctl -l ausearch -m AVC
Windows Investigation
driverquery
sc query
fltmc
Get-WinEvent -LogName Security
Get-Process Get-CimInstance Win32_SystemDriver
Microsoft Defender Hunting
DeviceProcessEvents
| where ProcessCommandLine contains driver
DeviceImageLoadEvents
| where InitiatingProcessFileName contains .sys
Sysmon Detection
Event ID 1
Event ID 6
Event ID 7
Event ID 11
Threat Hunting Priorities
Check newly loaded drivers
Identify unsigned kernel modules
Monitor security service shutdowns
Review privilege escalation events
Track vulnerable driver hashes
Correlate ransomware precursor activity
Defensive Hardening
Enable HVCI
Enable Kernel-mode Code Integrity
Deploy WDAC policies
Block vulnerable drivers
Enable Tamper Protection
The emergence of GentleKiller reinforces an important lesson: attackers are increasingly targeting the foundations of operating system security rather than merely bypassing surface-level defenses.
What Undercode Say:
The discovery of GentleKiller marks a significant turning point in ransomware evolution.
For years, cybersecurity vendors focused on detecting malicious payloads and suspicious encryption behavior.
The Gentlemen appears to have recognized a fundamental weakness in that approach.
Instead of fighting security software, they remove it.
This transforms ransomware from a post-compromise threat into a pre-compromise preparation process.
The BYOVD technique is particularly dangerous because it abuses trust rather than breaking trust.
Organizations often assume digitally signed drivers are safe.
Attackers understand that assumption.
Every vulnerable signed driver becomes a potential weapon.
The existence of eight separate GentleKiller variants suggests long-term planning rather than opportunistic development.
This is not experimental malware.
It is an actively maintained platform.
The inclusion of HexKiller, ThrottleBlood, and HavocKiller demonstrates a broader strategy of consolidating proven attack technologies under a single operational framework.
The business model is equally concerning.
A 90% affiliate payout signals aggressive market expansion.
Higher payouts attract more affiliates.
More affiliates create more attacks.
More attacks generate more revenue.
The cycle becomes self-sustaining.
The
That level of discipline often correlates with higher success rates.
The speed at which newly disclosed vulnerable drivers are weaponized also reveals mature development capabilities.
Many legitimate enterprises struggle to patch vulnerabilities within weeks.
These attackers are integrating exploits within days.
That operational velocity creates a substantial defensive disadvantage.
The cybersecurity industry may soon witness a broader shift toward operator-maintained EDR killers.
If other ransomware groups adopt similar strategies, disabling endpoint protection could become a standard attack phase.
Organizations should therefore move beyond traditional antivirus thinking.
Security architecture must assume endpoint controls can be neutralized.
Detection should extend into kernel activity.
Driver management should become a board-level security concern.
Threat hunting teams should prioritize vulnerable driver monitoring.
Zero Trust strategies become increasingly valuable in this environment.
Ultimately, GentleKiller is not just another malware tool.
It represents the industrialization of security-software destruction.
That trend may define the next generation of ransomware warfare.
Prediction
(+1) More enterprises will begin deploying driver-control policies, kernel protection technologies, and advanced behavioral monitoring to counter BYOVD attacks. 🛡️
(+1) Security vendors will accelerate development of self-protection mechanisms capable of resisting kernel-level termination attempts. 🚀
(+1) Governments and cybersecurity agencies may expand vulnerable-driver blocklists and require stronger driver validation standards. 🔒
(-1) Ransomware operators are likely to adopt EDR-killing frameworks as a standard feature, increasing attack success rates worldwide. ⚠️
(-1) Newly disclosed vulnerable drivers may continue to be weaponized faster than many organizations can patch affected systems. 📉
(-1) Organizations relying solely on traditional endpoint protection could experience significantly higher compromise rates in the coming years. 🚨
✅ ESET researchers reported that GentleKiller targets hundreds of security-related processes across dozens of endpoint protection products, indicating a large-scale effort to disable defenses before ransomware deployment.
✅ The BYOVD technique is a well-documented attack method in cybersecurity, allowing threat actors to abuse vulnerable but legitimately signed drivers to gain kernel-level privileges and terminate protected processes.
✅ Evidence suggests The Gentlemen operates a ransomware-as-a-service model with internally maintained EDR-killing tools, a notable distinction from many ransomware groups that require affiliates to source their own defense-evasion utilities.
❌ There is currently no public evidence suggesting GentleKiller can bypass every endpoint protection platform in existence. Security products with strong driver-blocking policies and kernel protections may still detect or prevent portions of the attack chain.
❌ The existence of multiple GentleKiller variants does not guarantee successful ransomware deployment. Effective monitoring, vulnerable-driver blocklists, and rapid incident response can still disrupt attacks before encryption occurs.
▶️ Related Video (82% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
