GentleKiller Ransomware Disables 400+ EDR Security Processes

A newly uncovered EDR-killing framework known as GentleKiller has emerged as one of the most aggressive tools in the ransomware landscape this year, systematically terminating over 400 endpoint protection processes across 48 distinct security products. The framework, developed and maintained by the Gentlemen ransomware-as-a-service operation, exploits the Bring Your Own Vulnerable Driver (BYOVD) technique to blind security defenses before encrypting victim systems. ESET disclosed its findings on June 17, 2026, revealing a centralized infrastructure that supplies affiliates with production-ready evasion tools, a level of operational sophistication rarely seen even among top-tier ransomware crews.

GentleKiller Ransomware Exploits Vulnerable Drivers to Blind Endpoint Defenses

How GentleKiller Operates

The GentleKiller framework functions as an in-house arsenal of kernel-level attack tools. Rather than relying on publicly available EDR bypass utilities alone, the Gentlemen gang constructed at least eight distinct variants of GentleKiller, with each release impersonating a different legitimate security application and weaponizing a separate vulnerable or malicious driver. This modularity allows affiliates to swap variants based on the target environment, improving success rates against diverse security stacks.

The underlying method BYOVD involves loading a legitimately signed but flawed kernel driver onto a compromised system. Because the driver carries a valid digital signature, Windows permits it to load at Ring 0, the highest privilege level in the operating system. Attackers then exploit the driver’s vulnerability to execute arbitrary kernel code, effectively granting them the power to terminate protected security processes, tamper with kernel callbacks, and neutralize real-time monitoring tools.

The framework runs in a continuous loop, scanning for targeted processes and force-terminating them every two seconds until the endpoint is stripped of protection. Products affected span nearly every major vendor in the industry, including Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Palo Alto Networks, ESET, Bitdefender, Kaspersky, and McAfee/Trellix.

Weaponized Drivers and Technical Variants

The eight documented GentleKiller variants abuse drivers originating from sources as varied as antivirus vendors, gaming anti-cheat systems, and utility software. The complete lineup includes:

  • eb.sys (Kaspersky)
  • nseckrnl.sys (FACEIT Anti-Cheat)
  • GameDriverX64.sys (Valorant)
  • stpm_old.sys / stpm_new.sys (Javelin/Safetica)
  • dmx.sys (Zemana WatchDog)
  • 360netmon_wfp.sys (Qihoo 360)
  • IMFForceDelete (IObit)
  • PoisonX rootkit driver

This diversity of weaponized drivers makes signature-based detection difficult. Each variant carries fabricated version information, copied digital signatures, and matching icons from legitimate security vendors a deliberate effort to blend into normal system activity and complicate both automated scanning and manual forensic analysis.

Third-Party EDR Killers Integrated Into the Suite

Beyond its proprietary GentleKiller variants, the Gentlemen operation integrates three externally developed EDR killers into its affiliate-facing toolkit, standardizing them through a shared evasion layer that applies Enigma or Themida, binary protectors.

HexKiller, previously linked exclusively to the Warlock gang, weaponizes a Baidu Antivirus driver (googleApiUtil64.sys). ThrottleBlood, observed in both MedusaLocker and DragonForce intrusions, abuses a TechPowerUp LLC driver (ThrottleBlood.sys). HavocKiller, first disclosed publicly by Huntress on March 19, 2026, exploits a Huawei audio driver (havoc.sys) and was already active in real-world attacks by January 23, 2026, nearly two months before public disclosure.

This standardization pipeline strips away original attribution markers and reapplies a uniform evasion coating, making it nearly impossible to determine which ransomware group originally developed a given tool once it enters the Gentlemen ecosystem.

Rapid Exploit Adoption Sets Gentlemen Apart

What distinguishes the Gentlemen operation from most competitors is its ability to operationalize newly published BYOVD proof-of-concept exploits within days of their public release. Tools such as UnknownKiller and PoisonKiller were folded into the GentleKiller arsenal almost immediately after appearing on GitHub, demonstrating both the resources and the agility to weaponize community research faster than most defenders can patch or detect.

This compressed timeline from public disclosure to active deployment contrasts sharply with the weeks or months typically required by other ransomware groups to adapt new exploits into production tooling. It signals a mature development pipeline and suggests that Gentlemen maintains dedicated personnel monitoring security research publications and open-source repositories for exploitable drivers.

The Gang Behind the Framework

Gentlemen surfaced in late 2025 as a ransomware-as-a-service platform founded by an individual operating under the alias hastalamuerte, a former affiliate of the Qilin ransomware group. Within months, it became one of the five most active ransomware operations globally during the first quarter of 2026.

The group’s targeting strategy deviates from the heavy United States focus common among major ransomware gangs. Instead, Gentlemen deliberately pursues victims across Southeast Asia, South America, and Western Europe, selecting targets primarily through FortiGate misconfigurations rather than geographic profiling. An internal data leak in May 2026 confirmed that Gentlemen’s operators actively develop, maintain, and distribute the GentleKiller framework directly to vetted affiliates.

To accelerate recruitment, Gentlemen offers affiliates an unusually generous 90 percent revenue share, a figure well above the industry average. Alongside GentleKiller, the gang distributes OxideHarvest, a Rust-written credential stealer that harvests browser credentials from Chromium-based and Gecko-based browsers across compromised hosts, further streamlining the path from initial access to domain control.

Canadian Impact and Regulatory Context

Although Gentlemen’s current targeting focuses on regions outside North America, Canadian organizations remain exposed through several vectors. The FortiGate misconfiguration-based targeting method used by Gentlemen affiliates does not discriminate by geography. Any Canadian business or government agency with improperly configured Fortinet perimeter appliances, a persistent issue catalogued by the Canadian Centre for Cyber Security (CCCS) in its annual threat assessments, represents a potential entry point.

Under PIPEDA, Canada’s federal private-sector privacy law, any organization that suffers a ransomware attack involving unauthorized access to personal information must assess whether the incident creates a “real risk of significant harm.” If so, breach notification to the Office of the Privacy Commissioner of Canada and affected individuals is mandatory. Ransomware attacks where attackers maintain access to systems as Gentlemen affiliates do when they deploy GentleKiller and OxideHarvest squarely meet this threshold. Penalties for non-compliance can reach $100,000 CAD per violation, a figure that rises substantially when legal, reputational, and operational recovery costs are factored in.

Canadian critical infrastructure operators, healthcare providers, and municipal government sectors where legacy endpoint security configurations remain common should treat the Gentlemen threat model as directly relevant. The CCCS has consistently warned that ransomware groups utilizing BYOVD techniques pose elevated risks to organizations relying on single-layer endpoint protection without kernel-level tamper resistance.

Detection and Defensive Recommendations

Security teams defending against GentleKiller and BYOVD-based attacks should prioritize two technical controls above all others: driver allowlisting and enforcement of Microsoft’s Vulnerable Driver Blocklist. The blocklist, while not updated as frequently as some vendors would prefer, still prevents the loading of numerous known-vulnerable drivers that GentleKiller weaponizes.

Defenders should also monitor for the GentlemenCollection staging directory, a known artifact of Gentlemen intrusions and anomalous kernel driver load events, particularly those involving drivers from gaming, utility, or lesser-known software vendors appearing on production systems. Correlating process termination patterns targeting security software with suspicious driver installations remains the most reliable behavioral detection signal for GentleKiller activity.

Key Takeaways

  • GentleKiller is a proprietary EDR-killing framework with at least eight distinct variants, each abusing a different vulnerable kernel driver to disable endpoint security tools.
  • The framework targets over 400 processes mapped to 48 security products, including major vendors such as CrowdStrike, SentinelOne, Microsoft Defender, and Palo Alto Networks.
  • The Gentlemen ransomware gang integrates both in-house and third-party EDR killers HexKiller, ThrottleBlood, and HavocKiller through a standardized evasion pipeline.
  • Gentlemen can weaponize newly published BYOVD exploits within days of their GitHub release, outpacing most ransomware groups by weeks or months.
  • Canadian organizations are at risk through FortiGate misconfigurations and must comply with PIPEDA breach notification requirements if personal information is accessed during an attack.
  • Detection relies on correlating security process terminations with anomalous driver loads and monitoring for the GentlemenCollection staging directory.
  • The gang offers affiliates a 90 percent revenue share, accelerating recruitment and expanding the pool of attackers deploying GentleKiller in the wild.

What You Should Do Now

  1. Enable Microsoft’s Vulnerable Driver Blocklist across all Windows endpoints and verify it is actively enforced through Group Policy or Intune configuration profiles.
  2. Implement driver allowlisting using Windows Defender Application Control or a third-party equivalent to prevent the loading of unauthorized kernel-mode drivers.
  3. Audit FortiGate configurations for misconfigurations, exposed management interfaces, or outdated firmware that could serve as an initial access vector for Gentlemen affiliates.
  4. Configure monitoring rules to alert on kernel driver load events correlated with repeated termination of security processes, particularly those targeting EDR or antivirus agents.
  5. Review your PIPEDA breach response plan to ensure it addresses ransomware scenarios involving unauthorized access, credential theft, and potential data exfiltration.
  6. Subscribe to CCCS threat bulletins and ESET research publications for ongoing indicators of compromise and updated detection signatures related to GentleKiller and Gentlemen activity.

Leave a Comment