One of the most active ransomware gangs of 2026 has been handing its affiliates a ready-made toolkit for switching off victims' security software before the encryption begins.
New analysis from ESET detailed the endpoint detection and response (EDR) killer suite of The Gentlemen, a ransomware-as-a-service operation (RaaS), built around an in-house framework the researchers named GentleKiller.
GentleKiller's job is to disable endpoint protection. ESET found it targeting more than 400 processes across roughly 48 security products, from Microsoft Defender and CrowdStrike to Sophos and ESET's own tools, killing them at the kernel level so the ransomware could run unchecked.
Borrowed Drivers, Kernel Power
The method is called bring your own vulnerable driver (BYOVD). Each build loads a legitimately signed but flawed kernel driver, then abuses it to kill security processes from inside the kernel, beyond the reach of user-mode protections.
ESET counted at least eight GentleKiller variants, each impersonating a different legitimate product, with names lifted from games and security brands such as Valorant, FACEIT and Kaspersky, and each abusing a different driver.
To bypass inspection, the binaries carry fake version details, copied but invalid digital signatures and the icons of the vendors they mimic, often wrapped in commercial packers.
Read more: Just Three Ransomware Gangs Accounted for 40% of Attacks Last Month
A Suite, Not a Single Tool
What makes Gentlemen unusual is that its operators, not its affiliates, build and maintain the EDR killers. ESET said most ransomware crews leave affiliates to find their own; only a handful, such as RansomHub, supply one. Gentlemen offers a whole portfolio:
-
GentleKiller, the in-house framework, in at least eight variants
-
HexKiller, previously tied to the Warlock gang
-
ThrottleBlood, seen in MedusaLocker and DragonForce intrusions
-
HavocKiller, which abuses a Huawei audio driver
The three borrowed tools were each re-skinned with Gentlemen's shared evasion layer. GentleKiller itself moved faster still, with the operators turning newly disclosed driver exploits into working variants within days of release.
Inside the Gentlemen Operation
Gentlemen surfaced in late 2025, founded by a former Qilin affiliate, and lures affiliates with an unusually large 90% cut.
ESET confirmed the operator-run model partly through a May data leak, in which the gang's leader openly discussed maintaining the EDR-killer packages. Unusually, it does not concentrate on US victims, picking targets across Southeast Asia, South America and Western Europe by their exposed FortiGate configurations.
ESET said understanding how GentleKiller works helps defenders prepare even for variants not yet built. In practice, defenses against such BYOVD attacks center on blocking known-vulnerable drivers and alerting whenever a protected security process is suddenly shut down.