A ransomware operation that emerged less than a year ago has claimed 478 victims across more than 70 countries — and it got there by doing something most criminal gangs do not: building and maintaining its own dedicated toolkit to destroy endpoint security software before deploying ransomware.
ESET published its full investigation into the Gentlemen ransomware-as-a-service operation on June 18, 2026, describing a gang that operates more like a software company than a criminal crew: it develops its own endpoint detection and response (EDR) killer, ships updates to affiliates, and can weaponize newly disclosed kernel-driver vulnerabilities within days of a public proof-of-concept release.
The centerpiece of the gang’s arsenal is a tool ESET named GentleKiller, which has appeared in at least eight distinct variants. Each variant impersonates a different piece of legitimate software — Kaspersky antivirus, the shooter game Valorant, enterprise tools Javelin and WatchDog, and others — while deploying a different vulnerable driver to reach the Windows kernel. Once it achieves kernel-level access, GentleKiller runs a periodic loop that terminates security processes, targeting more than 400 processes mapped to 48 security products including CrowdStrike, SentinelOne, Microsoft Defender, Sophos, and dozens of others.
Why Reaching the Kernel Changes the Math for Defenders
Most endpoint security software operates in user space, where it can monitor processes and enforce tamper-protection policies. GentleKiller bypasses that layer entirely.
The technique it uses is called Bring Your Own Vulnerable Driver (BYOVD). An attacker installs a legitimate, digitally-signed driver that contains known vulnerabilities. Because Windows validates the signature — not the safety of the driver’s code — the operating system loads it into the kernel, granting Ring 0 privileges: the deepest level of system access, where the OS itself operates. From that position, GentleKiller sends crafted Input/Output Control (IOCTL) commands to the driver, exploiting its vulnerability to gain the ability to kill any process on the machine, including security software with tamper protection enabled.
Standard EDR tamper-protection settings, which operate at user-mode privilege level, cannot stop a tool that has already reached Ring 0. ESET researcher Jakub Souček, who led the investigation, described Gentlemen as demonstrating “high operational effectiveness and tight integration” of its toolkit into the ransomware workflow. The only controls that function at or below the kernel-level attack surface are Hypervisor-Protected Code Integrity (HVCI), Microsoft’s Vulnerable Driver Blocklist, and detection rules that fire on the driver-installation event — before the kill sequence begins.
An EDR-Killing Factory Model Other Gangs Do Not Run
In most ransomware-as-a-service operations, affiliates source their own defense-evasion tools. The operator supplies the encryptor and the infrastructure; the affiliate handles the intrusion, including finding a reliable way to blind security software. Gentlemen has instead centralized that function, supplying every affiliate — at onboarding — with a standardized package that includes GentleKiller variants plus three externally sourced killers: HexKiller, ThrottleBlood, and HavocKiller. The credential stealer OxideHarvest, written in Rust, rounds out the kit.
The May 2026 internal data leak from within the gang confirmed the model. Leaked materials included communications from the gang’s leader — operating under the aliases hastalamuerte and zeta88 — explicitly discussing the maintenance and distribution of EDR-killer packages to verified affiliates. On June 10, 2026, journalist Brian Krebs published evidence linking those aliases to Alexander Andreevich Yapaev of Izhevsk, Russia.
What makes the toolkit operationally distinctive is its shared defense-evasion layer, applied to compiled binaries rather than source code. This means Gentlemen can protect tools it obtained from external sources — tools for which it does not possess the original source code — using the same impersonation and obfuscation techniques it applies to GentleKiller. Samples carry fabricated version information, invalid digital signatures copied from legitimate software, and icons matching the impersonated product. The commercial packers Enigma and Themida add a further layer of obfuscation.
The result is that files associated with the toolkit appear, at a process-name level, to belong to Kaspersky, Valorant, a Fortinet endpoint agent, or a Symantec product — making process-name allowlists unreliable as a detection mechanism.
478 Victims, 70 Countries, and a Target List Built From Fortinet Firewall Configurations
Gentlemen emerged in late 2025 and grew to become the second most active ransomware group globally by April 2026, claiming more than 320 victims by that point. By May 10, the gang had publicly listed 352 victims. By mid-June 2026, that count had reached 478, according to data compiled by Ransomware.Live.
Sectors hit include manufacturing, technology, healthcare, financial services, energy, government, and telecommunications. A confirmed victim is the Romanian state energy operator Complexul Energetic Oltenia. The group’s leak site activity spans more than 70 countries, with concentrations in Thailand, the United Kingdom, Brazil, Germany, and India.
Unlike most large ransomware operations — which draw roughly half their victims from the United States — Gentlemen’s US concentration sits at approximately 13 percent. ESET’s analysis of the leaked backend data suggests this is not accidental: the gang assigns victims centrally, based primarily on the configuration of a target organization’s FortiGate firewall, rather than by geographic preference. The operators maintain a curated database of approximately 14,700 already-compromised FortiGate devices, allowing affiliates to skip reconnaissance and gain immediate network access.
The gang practices double extortion: data is exfiltrated before encryption, and victims who decline to pay face public release of that data on the group’s dedicated leak site.
OxideHarvest: Credential Theft That Runs Independent of Ransomware Deployment
Alongside the EDR-killer suite, ESET’s investigation identified OxideHarvest, a Rust-based credential stealer linked to a specific Gentlemen affiliate. Its configuration shows it targets saved credentials across more than a dozen browsers, including Chrome, Edge, Firefox, Brave, Opera, and Vivaldi, as well as password stores.
OxideHarvest is significant beyond its role in ransomware operations. Because it functions as a standalone tool, credential theft can precede or operate entirely separately from a ransomware deployment. A victim organization whose network credentials were harvested by a Gentlemen affiliate during a campaign that did not result in ransomware may still find those credentials used in a follow-on attack — or sold to other threat actors.
What Security Teams Should Do Before GentleKiller Arrives
ESET’s research surfaces four concrete actions defenders can take now.
Enable HVCI and check driver blocklist coverage. Hypervisor-Protected Code Integrity prevents unsigned or known-vulnerable drivers from loading into the kernel, blocking the core BYOVD mechanism at the OS level. Organizations should also verify that the Microsoft Vulnerable Driver Blocklist is current and enforced. ESET’s report lists the specific drivers GentleKiller variants abuse, including drivers from Safetica, Zemana, Qihoo 360, IObit, and Huawei — organizations can confirm whether these are blocked.
Detect driver-loading events, not just kill events. By the time GentleKiller terminates a security process, it has already reached Ring 0. Detection rules that fire on the installation of a new driver as a Windows service provide an earlier warning, before the kill sequence begins.
Validate EDR tamper-protection settings. Standard tamper protection operates at user-mode privilege level and cannot resist a Ring 0 attacker. Defenders should confirm with their EDR vendor whether kernel-level protection — such as HVCI integration — is available and enabled, rather than relying on standard anti-tamper settings alone.
Flag impersonation of Kaspersky, Valorant, Javelin, WatchDog, and Sophos processes. GentleKiller variants carry those names as cover identities. In environments where those products are not deployed, unexpected processes using those names should be treated as high-confidence threat indicators.
Frequently Asked Questions
What is an EDR killer and why are ransomware gangs using them?
An endpoint detection and response (EDR) killer is a tool specifically designed to disable or blind the security software that organizations rely on to detect intrusions. Ransomware operators use them because modern EDR software is effective at detecting ransomware encryption activity — but only if it is running. By disabling EDR before deploying the encryptor, attackers buy themselves an unobserved window to steal data and encrypt systems. The BYOVD technique, which GentleKiller uses, achieves this at the kernel level, making user-space defenses insufficient.
What is the Bring Your Own Vulnerable Driver (BYOVD) technique?
BYOVD is a privilege-escalation and defense-evasion method in which an attacker loads a legitimate, digitally-signed kernel driver that contains known vulnerabilities onto a target system. Windows validates the driver’s signature, not its security, so the kernel loads it. The attacker then sends crafted IOCTL commands to exploit the driver’s flaws, reaching Ring 0 — the deepest access level in Windows. From there, any process on the machine, including EDR software with tamper protection enabled, can be terminated. Microsoft’s Vulnerable Driver Blocklist and HVCI are the primary defenses.
Does standard EDR tamper protection stop GentleKiller?
No. Standard EDR tamper-protection settings operate at user-mode privilege level. GentleKiller reaches the kernel (Ring 0) before executing its process-kill loop. Once an attacker operates at Ring 0, user-mode controls cannot stop them. The effective defenses are enabling HVCI to prevent known-vulnerable drivers from loading, keeping the Microsoft Vulnerable Driver Blocklist current, and deploying detection rules that alert on new driver-installation events — before the kill sequence begins.
Which security products does GentleKiller target?
ESET’s research maps more than 400 targeted processes to 48 security vendors. The list includes CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Kaspersky, McAfee/Trellix, Bitdefender, Fortinet, Carbon Black, Cylance, Cybereason, Huntress, and more than 30 others. Organizations relying on any of these products in environments without HVCI or driver-blocklist enforcement have potential exposure to GentleKiller attacks.
