334/69 Monday, June 22, 2026
ESET has published an investigation into the infrastructure of the Ransomware-as-a-Service group known as The Gentlemen, which has been active since late 2025 and has claimed more than 504 victims. Its primary targets are in Southeast Asia, South America, and Western Europe. What makes this group notable is not only its ransomware, but also the fact that its operators have developed and provided a toolset called GentleKiller to their affiliate network. The tool is used to disable endpoint detection and response (EDR) systems on victims’ machines before deploying ransomware.
In-depth analysis found that GentleKiller uses the Bring Your Own Vulnerable Driver (BYOVD) technique by abusing vulnerable or malicious drivers to evade detection. At least eight variants of the tool have been observed so far, customized to masquerade as legitimate software, such as Kaspersky software or game anti-cheat systems. Evidence of its operation shows a command window disguised as a Kaspersky system process, which loads a driver and begins monitoring the system by scanning every two seconds to identify and forcefully terminate security-related processes, such as SecurityHealthService.exe. The toolset can target more than 400 processes from 48 major security vendors. In addition, The Gentlemen group has shown the ability to quickly adopt new proof-of-concept (PoC) exploit code within only a few days and often selects targets from organizations with misconfigured FortiGate devices. Preliminary reports also indicate that the group’s founder is a former member of a Russian ransomware group.
To respond to this type of threat, system administrators and relevant organizations should promptly review and strengthen the configuration of network devices, especially FortiGate appliances, in line with secure best practices. In addition, the publicly disclosed list of processes targeted by GentleKiller can be used to develop monitoring rules and detection strategies within organizational security systems. Organizations should increase monitoring for suspicious kernel-level driver loading behavior, watch for abnormal forced termination of security processes, and regularly update operating systems and security software to the latest versions in order to reduce the long-term risk of attacks using BYOVD techniques.