Back to Insights
Ransomware5 min read21 June 2026

The Gentlemen Ransomware Group Ships a Centralized EDR Killer to Every Affiliate

GentleKiller blends signed-driver abuse with a hardcoded hit list of roughly 400 security processes — and every Gentlemen affiliate gets it as standard kit.

MH
Marcus HaleHead of Security Research
A dramatic low-angle shot of a server room corridor at night, rows of blinking rack-mounted servers fading into darkness

A ransomware-as-a-service operation calling itself The Gentlemen has distributed a custom EDR-disabling framework, GentleKiller, as part of its standard affiliate package, giving every operator in its network an actively maintained tool designed to blind endpoint defenses before deploying the encryptor.

What GentleKiller Actually Does

GentleKiller is not a single executable. It is a portfolio of components combining in-house code with repurposed third-party utilities — and at its core sits a hardcoded kill list of approximately 400 process names. That list sweeps across EDR agents, antivirus services, telemetry forwarders, and backup helpers. Anything that could interrupt or record the encryption stage is targeted.

The underlying technique is Bring Your Own Vulnerable Driver, or BYOVD. The attack chain is well-documented at this point: drop a legitimate but vulnerable signed driver onto the target system, load it into the kernel, and use the kernel-mode access to terminate protected processes that a user-mode caller cannot touch. Because the driver carries a valid signature, many security tools treat it as trusted. The encryptor then runs in a largely blind environment.

BYOVD has appeared in major incidents for several years running. What separates GentleKiller from most observed BYOVD usage is productization. Rather than leaving affiliates to assemble their own driver-abuse chain from public proof-of-concept code, The Gentlemen maintain and update GentleKiller centrally, then push it to the affiliate program. That is a meaningful engineering investment — and it tells defenders something about the group's operational ambition.

Why This Model Is More Dangerous Than Typical RaaS

Most ransomware-as-a-service programs focus their engineering resources on the encryptor and the leak-site infrastructure. Defense evasion is typically treated as the affiliate's problem. The Gentlemen have inverted that logic.

Centralizing the EDR-killer means every affiliate — regardless of individual skill level — arrives on target with a proven, maintained blind-spot generator. Skill variance in the affiliate pool no longer protects organizations the way it once did. A less-sophisticated operator running GentleKiller can produce the same pre-encryption silence as a seasoned intrusion team.

The Gentlemen surfaced earlier in 2025 and have been running the standard mid-tier RaaS playbook: double extortion, a public leak site, and affiliate recruitment on Russian-language forums. The investment in a dedicated EDR-killing framework suggests the operators either expect a long runway or plan to amortize the development cost before an eventual rebrand — a pattern the ransomware ecosystem has repeated many times.

No CVE, No Patch — That Is the Point

GentleKiller does not exploit a vulnerability in the traditional sense. BYOVD abuses drivers that Microsoft's own signing infrastructure has already approved. The drivers are not broken; they are old and contain dangerous primitives. That distinction matters enormously for defenders because the relevant control is not a patch — it is a blocklist.

Microsoft maintains a Vulnerable Driver Blocklist as part of App Control for Business. When enabled and kept current, it prevents the operating system from loading drivers with known dangerous characteristics. It is off by default on a surprising share of enterprise fleets. Enabling it costs nothing and closes a significant portion of the BYOVD attack surface.

For reference, the Verizon 2024 Data Breach Investigations Report found that exploitation of vulnerabilities as an initial access vector tripled year-over-year, with attackers increasingly targeting the security tooling layer itself rather than application code. GentleKiller is a logical extension of that trend.

What Defenders Should Do Right Now

Confirm the Vulnerable Driver Blocklist Is Enabled

Audit every endpoint and server image. The blocklist is the cheapest available control against BYOVD and is routinely overlooked during hardening reviews. Verify it is on and that the policy version is current.

Alert on Drivers Loading from User-Writable Paths

GentleKiller and similar chains typically stage the vulnerable driver in `%TEMP%`, `%PROGRAMDATA%`, or a newly created subdirectory under the user profile. A signed driver appearing in those locations is almost never legitimate. Write the detection now, before you need it.

Treat EDR Silence as an Incident

A sudden loss of heartbeat from a security agent is not a glitch to investigate at next business hours. It is a potential active compromise. Organizations that have configured out-of-band agent heartbeat monitoring and tamper-protection telemetry catch EDR-kill events far earlier than those relying on on-host signatures alone.

Watch for Sequential Batch Process Termination

A kill list of 400 processes does not execute quietly. The termination sequence produces a detectable pattern — a cascade of security-related process exits in rapid succession. Behavioral analytics tuned to flag that pattern give response teams a narrow but real window to intervene.

Ask Your EDR Vendor Directly

If your endpoint security vendor has not published detection guidance for GentleKiller-style termination chains targeting their own agent, ask them. Their answer — and how quickly they produce it — is useful information about your vendor relationship.

The Human Side of the Defense Gap

Technical controls close part of the exposure, but the organizations most resistant to ransomware affiliates running advanced toolkits are those where security teams understand the attack chain well enough to hunt for it proactively. That fluency does not happen by accident. Security-awareness and analyst training programs that include threat-actor tactics, not just phishing simulations, give defenders the mental model they need to recognize an EDR-kill event for what it is the moment telemetry goes dark — and to act before the encryptor runs.

The failure mode GentleKiller exploits is partly technical — missing blocklist policies, no heartbeat monitoring — but it is also organizational. Teams that have never seen a BYOVD chain in tabletop or training exercises often mistake early indicators for infrastructure problems. That delay is exactly what affiliates depend on.

A free trial of Train2Secure's security awareness platform gives teams the chance to pressure-test that gap without waiting for a live incident to expose it. For organizations benchmarking their program against NIST or ISO controls, the standards alignment page maps training content directly to relevant frameworks.

The Gentlemen's decision to centralize and maintain GentleKiller is a deliberate capability investment. Defenders need to treat it as a signal: this group is building for persistence, and the organizations that respond with persistent, layered controls — technical and human — are the ones that will not appear on the leak site.

How your team can close the gap GentleKiller exploits

  • Enable and verify Microsoft's Vulnerable Driver Blocklist across every endpoint — do not assume it is on by default.
  • Configure out-of-band EDR heartbeat monitoring so agent silence triggers an immediate alert, not a next-day ticket.
  • Run tabletop exercises that simulate an EDR-kill event so analysts recognize the early indicators and know the escalation path before a live incident forces the decision.

Train2Secure's security awareness platform includes threat-scenario modules that help technical teams recognize and respond to advanced ransomware tactics — including BYOVD and defense evasion chains.

Start free — no card required

Frequently asked questions

What is GentleKiller and who created it?

GentleKiller is a custom EDR-disabling framework developed and maintained by The Gentlemen ransomware-as-a-service group. It combines proprietary code with third-party utilities and a hardcoded list of roughly 400 security-related processes to terminate before deploying the group's encryptor.

How does a BYOVD attack work and why is it hard to stop?

Bring Your Own Vulnerable Driver (BYOVD) works by dropping a legitimate but vulnerable signed driver onto a target system, loading it to gain kernel-mode access, and using that access to terminate protected security processes. Because the driver is validly signed, many tools treat it as trusted. There is no patch — the primary defense is Microsoft's Vulnerable Driver Blocklist.

Is Microsoft's Vulnerable Driver Blocklist enabled by default?

No. On many enterprise Windows deployments, the Vulnerable Driver Blocklist that is part of App Control for Business is off by default. Administrators must explicitly enable and update it to block known dangerous drivers.

What is the fastest detection signal if GentleKiller is running?

The most reliable early signal is sudden loss of EDR agent heartbeat combined with a rapid cascade of security-process terminations. Organizations with out-of-band heartbeat monitoring and behavioral rules alerting on sequential termination of security tools have the best chance of detecting the attack before the encryptor executes.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress