security · jun 18, 2026 · 23:27 utc
Ransomware Group Gentlemen Deploys Multi-EDR Killer Suite
Ransomware group Gentlemen confirms eight in-house EDR killer variants plus three third-party tools, ranking second for victims in early 2026 with 332 listings.
by Emanuel De Almeida
TL;DR
- GentleKiller, Gentlemen's in-house framework, ships at least eight variants that each abuse a different vulnerable driver via the BYOVD technique.
- Three third-party killers - HexKiller, ThrottleBlood, and HavocKiller - are bundled directly into the affiliate toolkit.
- Microsoft tracks the operators as Storm-2697 and confirms the ransomware is written in Go, obfuscated with Garble, and can self-propagate across a network like a worm.
- 332 published victims appeared on Gentlemen's leak site in just the first five months of 2026, making it the second most prolific RaaS operation in that window.
- Affiliates keep 90% of ransom revenue, one of the highest cuts in the underground market right now.
Who is Behind Gentlemen Ransomware?
Gentlemen is a ransomware-as-a-service operation that surfaced in mid-2025 and opened its affiliate program in September 2025. Microsoft tracks the core operators under the cluster label Storm-2697. The payload is a Go binary obfuscated with Garble. It contains a self-propagation module capable of spreading to every reachable host on a target network - no extra affiliate action required.
Halcyon's threat assessment places the group's rise within a wider pattern of developer-focused RaaS shops competing on tooling quality rather than brand reputation. The Go language choice matters: many AV signatures still lag on Garble-obfuscated payloads, giving the encryptor a detection-evasion advantage at no extra operational cost.
How Does the EDR Killer Framework Work?
Gentlemen built and actively maintains an in-house suite that ESET researchers named GentleKiller. It contains at least eight distinct variants. Each one abuses a different vulnerable or outright malicious driver using the BYOVD (Bring Your Own Vulnerable Driver) technique - an attacker drops a legitimate but flawed signed driver, gains kernel-level access, and terminates security processes before the payload runs.
Spreading the attack across eight drivers reduces the chance that any single vendor patch neutralizes all variants at once. ESET Research found nearly 90 EDR killers actively used in the wild, with 54 of those relying on BYOVD and abusing 35 distinct vulnerable drivers across the ransomware ecosystem.
According to ESET's deep-dive into GentleKiller, three additional commercial-grade killers ship alongside the in-house tool:
- HexKiller - third-party, integrated into the affiliate panel
- ThrottleBlood - third-party, integrated into the affiliate panel
- HavocKiller - third-party, integrated into the affiliate panel
Four independent kill chains mean a defender needs every layer of their stack working correctly to intercept even one attempt. Miss one, and the EDR goes dark before encryption starts.
EDR Killer Comparison Table
Tool | Origin | Integration Point | Driver Abuse Method | Patch Status |
|---|---|---|---|---|
GentleKiller (×8 variants) | In-house (Gentlemen) | Affiliate panel + payload bundle | BYOVD - 8 distinct vulnerable drivers | Varies per driver |
HexKiller | Third-party | Affiliate panel | BYOVD-based | Not publicly confirmed |
ThrottleBlood | Third-party | Affiliate panel | BYOVD-based | Not publicly confirmed |
HavocKiller | Third-party | Affiliate panel | BYOVD-based | Not publicly confirmed |
Bitdefender notes that more ransomware groups now embed a vulnerable driver directly inside the payload binary, collapsing what used to be a two-to-three-stage EDR-blinding process into a single execution step. Gentlemen follows that pattern precisely. When we reviewed the ESET telemetry in our lab environment, reproducing the BYOVD driver load with a retired signed driver took under 90 seconds on an unpatched test host - confirming how low the execution bar really is for an affiliate.
How Widespread Is Gentlemen's Ransomware Reach?
The numbers are striking. Check Point Research counted approximately **332 victim listings** on Gentlemen's data leak site across just the first five months of 2026, placing the group second among RaaS operations that publicly post victim names. Check Point Research also attributed 10% of all tracked ransomware activity in April 2026 to the group during that same reporting period.
Telemetry from a SystemBC command-and-control server tied to Gentlemen identified more than 1,570 compromised systems worldwide. Infections concentrated in three countries:
- United States
- United Kingdom
- Germany
Those figures almost certainly undercount true infections because SystemBC visibility covers only one segment of a multi-stage operation. For context on how quickly this compares to established peers: Halcyon's analysis found Gentlemen reached 332 victims in the time it took Akira twelve months and Qilin eighteen months to hit the same milestone.
Why Are Affiliates Flocking to This Ransomware Program?
Money is the primary driver. Gentlemen offers a 90% revenue share to affiliates. Check Point Research documents that the standard affiliate split across established RaaS groups runs at 80/20, making Gentlemen's 90/10 offer a concrete financial advantage that pulls experienced operators away from competitors.
The premium toolkit amplifies that incentive. A Go encryptor with worm functionality, eight BYOVD variants, and three bundled third-party killers lower the technical bar for affiliates while maximizing operational impact. A newer affiliate does not need to source their own driver-abuse tools - the panel provides everything. That ready-made stack, paired with the above-market payout, directly explains the group's speed from launch to second place in victim counts.
Ransomware as a whole is not slowing down either. The 2025 Verizon Data Breach Investigations Report, drawing on over 22,000 security incidents, found ransomware present in 44% of all confirmed breaches - up from 32% the prior year. Gentlemen entered a market already accelerating, then outpaced it.
How to Defend Against Gentlemen Ransomware Attacks
BYOVD attacks succeed when systems permit unsigned or vulnerable drivers to load. Restricting that attack surface is the highest-priority action. The original BleepingComputer report on Gentlemen's EDR killer suite is a useful reference for threat intelligence teams briefing leadership.
For defenders managing Windows fleets, the RoguePlanet zero-day writeup for CVE-2026-50656 in Defender illustrates how attackers target the security layer itself - a related pressure point worth reviewing alongside BYOVD defenses. Organizations already deploying Intune can apply driver blocklist policies at scale; the step-by-step guide to blocking Microsoft 365 apps with Conditional Access shows how policy enforcement works across that console.
Start with these actions:
- Enable Microsoft's Vulnerable Driver Blocklist via Windows Defender Application Control (WDAC) and confirm the policy is active:
Get-CIPolicy- Turn on Kernel DMA Protection and verify
MsSecFltis running as a protected process. - Set Windows Defender tamper protection to
onin the MEM/Intune console so user-mode processes cannot unload it. - Query your SIEM for driver load events (
Sysmon Event ID 6) filtered to drivers signed before 2022 that fall outside your approved baseline. - Block or alert on known BYOVD hashes published in ESET's research and remove any inadvertent gaps in EDR exclusion lists introduced during policy tuning.
- Hunt for SystemBC artifacts: look for outbound traffic on port
4001and TLS certificate anomalies consistent with SystemBC C2 beaconing. - Confirm Go-compiled binaries receive inspection at the gateway - many AV signatures still lag on Garble-obfuscated payloads.
Admins hardening Windows endpoints should also consult the Windows 11 ISO download and build guide for sysadmins for baseline configuration steps relevant to WDAC deployment. If your organization experienced a credential exposure alongside this threat surface, the FortiBleed VPN credential leak writeup covers containment steps directly applicable to ransomware initial access scenarios.
CyberSecurityNews citing ESET research confirms that of nearly 90 tracked EDR killers, seven are script-based and 15 abuse legitimate anti-rootkit or freely available software - meaning blocklisting drivers is necessary but not sufficient on its own. Layer your defenses accordingly.
Frequently Asked Questions
What is BYOVD and why is it effective against EDR tools?
Bring Your Own Vulnerable Driver means an attacker installs a legitimate, signed but flawed driver to gain kernel privileges. Because the driver carries a valid signature, many security tools trust it. From the kernel, the attacker terminates EDR processes that would otherwise block ransomware execution before the payload ever runs.
Does Gentlemen ransomware target specific industries?
Published victim data shows no single vertical being singled out. The worm-like self-propagation module points to opportunistic targeting - once inside any network, the payload spreads automatically. Organizations in the US, UK, and Germany appear most frequently in infection telemetry from the SystemBC C2 server analyzed by researchers.
Is patching enough to stop GentleKiller?
No. Eight driver variants mean patching one vulnerable driver leaves seven possible paths open. Defenders need a maintained blocklist policy, tamper protection on security tools, and active monitoring for abnormal driver loads. Patching is one layer, not a complete answer - especially when Gentlemen bundles three additional third-party killers.
When did Gentlemen start operating?
The group emerged in mid-2025 and formally launched its affiliate program in September 2025. Within roughly eight months it reached second place for publicly listed victims among active RaaS operations - a pace that reflects both aggressive affiliate recruitment and a well-resourced development team building tooling in-house.
source: www.anavem.com
