In the ever-evolving landscape of cybercrime, one of the most notorious ransomware gangs of 2026, known as The Gentlemen, has recently garnered attention for its sophisticated approach to disabling victims’ security measures before launching encrypting attacks. This investigation, carried out by cybersecurity firm ESET, revealed the intricacies of a specialized toolkit termed GentleKiller, specifically designed to dismantle endpoint detection and response (EDR) systems.
ESET’s findings indicate that GentleKiller is not merely a single tool but rather a comprehensive framework aimed at undermining various security software processes. The research highlighted that the toolkit targets more than 400 processes across approximately 48 different security products. These include well-known names like Microsoft Defender, CrowdStrike, Sophos, and even ESET’s own security solutions. By targeting and disabling these security applications at the kernel level, GentleKiller allows ransomware to operate without detection or hindrance, showcasing a new level of sophistication in cyber-attacks.
The methodology employed by GentleKiller also stands out due to its innovative use of a technique known as “bring your own vulnerable driver” (BYOVD). Essentially, this approach involves loading a legitimate but flawed driver—one that has been compromised in the past—to execute attacks on security processes from within the kernel. This layer of abstraction allows the ransomware to bypass standard user-mode protections, significantly increasing its chances of a successful breach.
ESET’s analysis identified at least eight distinct variants of GentleKiller, each crafted to mimic legitimate software products. The names of these variants are taken from popular culture, including titles from the gaming and cyber security realms, such as Valorant and Kaspersky. Moreover, these binaries employ deceptive tactics to evade detection. They feature counterfeit version information, invalid digital signatures, and replicate the icons of the legitimate products they impersonate. Such sophisticated wrapping techniques render it even more challenging for traditional security measures to identify these malicious tools.
What sets The Gentlemen apart from other ransomware groups is not just the effectiveness of its toolkit, but the operational model it adopts. In a departure from typical practices where affiliates are responsible for sourcing their own EDR killers, The Gentlemen handle the development and maintenance of these tools in-house. This unique approach underscores the gang’s commitment to providing a comprehensive resource for its affiliates, who receive an unprecedented 90% share of the profits. This model not only incentivizes participation but also ensures that the tools are continuously updated and fine-tuned for maximum effectiveness.
The Gentlemen first emerged in late 2025, founded by a former affiliate of the Qilin group, and has since attracted affiliates eager for a lucrative partnership. Interestingly, this gang does not focus its assaults mainly on victims in the United States. Instead, it targets organizations across Southeast Asia, South America, and Western Europe, carefully selecting its prey based on vulnerabilities in their FortiGate configurations—a strategy that reflects a calculated and strategic approach to cyber extortion.
The implications of ESET’s research extend beyond understanding GentleKiller itself. Analysts emphasize that comprehending the mechanics of such EDR-killer tools equips cybersecurity experts with crucial insights for developing defenses against potential variants. Effective defenses against BYOVD attacks can be formulated by focusing on identifying and blocking known vulnerable drivers and establishing alerts for any sudden shutdown of protected security processes.
As cyber threats become increasingly sophisticated, the revelations surrounding The Gentlemen’s tactics and tools serve as a stark reminder of the need for vigilance and adaptability in cybersecurity measures. Organizations must remain proactive in analyzing emerging threats and fortifying their defenses, ensuring they can withstand the relentless advancements of ransomware criminals. This evolving battle against cybercrime is a testament to the importance of continuous improvement in security protocols and technologies, as both defenders and attackers seek to outsmart each other in an ongoing arms race.