Photo by Jaffer Nizami on Unsplash
- As of June 2026, The Gentlemen ransomware-as-a-service platform has claimed 504 victims in roughly five months — a pace that outstrips competitors Akira (12 months) and Qilin (18 months) to reach comparable scale.
- The GentleKiller framework ships 8 distinct variants targeting more than 400 security processes across 48 vendors, including CrowdStrike, Microsoft Defender, SentinelOne, and Sophos.
- A 90/10 affiliate revenue split — versus the ransomware ecosystem's standard 70/30 — is the financial engine driving rapid affiliate recruitment and attack volume growth.
- As of March 2026, ESET Research tracks nearly 90 active EDR killer tools in the wild, with 54 confirmed variants using the Bring Your Own Vulnerable Driver (BYOVD) technique against 35 distinct signed drivers.
The Threat: EDR Killing Packaged as a Platform Feature
What if the most vulnerable component in your security stack is not your firewall, your VPN, or your cloud configuration — but the EDR software you deployed specifically to stop ransomware? That question has shifted from theoretical to operational, and a ransomware group calling itself The Gentlemen has built a platform around the answer.
CSO Online reported in detail on the group's infrastructure following a May 2026 breach of The Gentlemen's own platform by an unknown attacker, which exposed approximately 300 ransomware attacks conducted through the service and revealed internal operational details. ESET's WeLiveSecurity blog provides the most technically granular analysis: a centralized EDR-killing framework — GentleKiller — consisting of 8 distinct variants engineered to identify and terminate more than 400 monitored security processes spanning 48 different vendors. Targets include the dominant names in enterprise endpoint defense: CrowdStrike, Microsoft Defender, SentinelOne, and Sophos.
ESET's research identifies the group's founder as Alexander Andreevich Yapaev (online handle: hastalamuerte), a 36-year-old Russian national and former Qilin affiliate. That background is significant — Yapaev is not improvising. He is operationalizing institutional knowledge from inside an established ransomware operation, then layering in the infrastructure capability that most RaaS platforms leave to individual affiliates to improvise.
The group launched in September 2025 and, according to threat intelligence reporting from Halcyon, had claimed 504 victims as of June 2026 — achieving in five months what took competitor Akira twelve months and Qilin eighteen months. Their pre-positioned access inventory adds further scale: Halcyon reports The Gentlemen controls approximately 14,700 pre-compromised FortiGate devices worldwide, plus 969 validated brute-forced VPN credentials, allowing affiliates to bypass the noisy initial-access phase and move directly to deployment.
Blast Radius: Who Carries Real Exposure
The growth trajectory makes the exposure concrete. Halcyon's threat assessment data shows The Gentlemen logged 40 attacks in Q4 2025, then 166 in Q1 2026 — a 315% quarterly increase. Monthly attack volume nearly doubled from 48 in January 2026 to 91 in February 2026. The 90/10 affiliate revenue split, compared against the ransomware industry's standard 70/30, creates a direct financial incentive for criminal operators to choose this platform over competitors.
Chart: The Gentlemen ransomware group's confirmed attack volume surged 315% from Q4 2025 (40 attacks) to Q1 2026 (166 attacks), per Halcyon threat intelligence data as of June 2026.
The sectors carrying the heaviest exposure are those that treated EDR deployment as a destination rather than a layer: mid-market financial services, healthcare networks, critical infrastructure operators, and any enterprise that invested in endpoint detection and response as its primary — rather than one of several — security controls. Security researchers have flagged a structural tactical shift worth naming explicitly: the adversarial effort has migrated away from making encryptors stealthy and toward killing the monitoring layer before any payload runs. As researchers note, quote, "all the sophisticated defense-evasion techniques have shifted to the user-mode components of EDR killers" rather than into the ransomware encryptors themselves. That means signature-based payload detection, the foundation of most legacy antivirus approaches, is increasingly beside the point.
The broader ecosystem context matters for incident response planning: multiple groups — BlackSuit, RansomHub, Medusa, Qilin, DragonForce, Crytox, Lynx, and INC — were all reported using commercial EDR killer tooling in early 2025, well before The Gentlemen formalized it as a platform-level service. Gentlemen's model is not an outlier. It is an acceleration of a trend already in motion.
The AI Wildcard: Machine-Generated Evasion at Scale
Recent EDR killer tools are exhibiting characteristics that threat analysts associate with AI-assisted code generation: standardized boilerplate structures, iterative trial-and-error mechanisms, and rapid operationalization of newly disclosed vulnerabilities within days of public proof-of-concept releases. This pattern complicates traditional threat attribution and compresses the window between vulnerability disclosure and weaponization.
The connection to widely available AI development tooling is not speculative. The same large language models that are reshaping developer productivity — as benchmarked across the enterprise coding assistant market at AI Tools' analysis of leading coding assistants — are accessible to threat actors without licensing restrictions or usage monitoring. A moderately skilled affiliate can now iterate on a BYOVD exploit in hours. This is the democratization that ESET researcher Jakub Souček is pointing at when he notes that GentleKiller "democratize[s] EDR killing capabilities" by enabling "consistent encryptor deployment" without requiring affiliates to build custom evasion tools themselves.
As of March 2026, ESET Research had identified 54 EDR killer tools using the BYOVD (Bring Your Own Vulnerable Driver — a technique that loads a legitimate but security-flawed Windows driver to gain kernel-level operating system access) technique, exploiting 35 different signed vulnerable drivers. Total active EDR killers in the wild: nearly 90. The development pipeline is functioning.
The Defense Stack: Three Layers That Block This
Good cybersecurity best practices here are architectural, not reactive. Takedowns of individual RaaS platforms do not remove the underlying technique from circulation — GentleKiller's EDR-killing methodology is already spreading across the broader affiliate ecosystem. The controls need to work regardless of which group deploys them.
Layer 1 — Enforce Microsoft's Vulnerable Driver Blocklist. BYOVD attacks depend on loading a signed but vulnerable driver to reach kernel level. Microsoft maintains a blocklist of known vulnerable drivers deployable via Windows Defender Application Control (WDAC). As of June 21, 2026, according to ESET Research, 35 distinct vulnerable drivers are actively being exploited by EDR killer variants. A blocklist that has not been updated in six months is a documented gap. Deploy the policy via Intune or Group Policy and verify the version stamp.
Layer 2 — Audit tamper protection on every EDR sensor. Most enterprise EDR platforms — CrowdStrike, SentinelOne, Microsoft Defender among them — include tamper protection settings that require authenticated administrative confirmation before the agent can be stopped or uninstalled. This setting is frequently disabled during maintenance windows and never re-enabled. A quarterly audit of tamper protection status across your fleet is a compensating control that directly raises the cost of GentleKiller-style attacks, even when a vulnerable driver is successfully loaded.
Layer 3 — Patch FortiGate perimeters and rotate VPN credentials. The Gentlemen's pre-positioned access inventory — approximately 14,700 compromised FortiGate devices as of June 2026, per Halcyon threat intelligence — exists because perimeter appliances running unpatched firmware or default credentials represent persistent, low-noise footholds. FortiGate vulnerabilities including CVE-2024-21762 remain broadly exploited across ransomware operations. Segment perimeter devices from internal networks and enforce a credential rotation schedule tied to calendar dates, not incident triggers.
Ship This Control Today
One action. Not a checklist.
Enable and verify Microsoft's Vulnerable Driver Blocklist through WDAC on every Windows endpoint in your environment. The policy deploys via Intune or Group Policy in under an hour for most organizations. Confirm the blocklist version is current — auto-update is not guaranteed in all WDAC configurations. This single data protection control directly addresses the BYOVD technique that underpins 54 of the confirmed EDR killer variants ESET tracked as of March 2026. It requires no new vendor contract, no budget cycle, and no security team headcount. It requires a policy push and a verification screenshot.
In my analysis, the most underestimated element of this story is not the tool — it is the revenue model. When you offer affiliates 90% of ransom proceeds versus the field's standard 70%, you do not merely attract more operators; you generate a faster feedback loop on which evasion techniques are working. That financial incentive to iterate is what makes the kernel-layer and driver-blocklist controls structurally more durable than any signature-based response. Ship the blocklist. Verify tamper protection. Then revisit whether EDR is a layer in your stack or your entire stack — because for The Gentlemen's affiliates, the answer to that question determines how long the attack takes.
Frequently Asked Questions
What are EDR killers and how are they used in ransomware attacks?
EDR killers are tools engineered to locate and terminate endpoint detection and response (EDR) agents — the security software that monitors process behavior and blocks malicious activity on individual machines. In modern ransomware operations, threat actors deploy an EDR killer before running the encryption payload, so the monitoring software cannot detect or interrupt the attack. The most common technique as of 2026 is BYOVD (Bring Your Own Vulnerable Driver), in which attackers load a legitimate but security-flawed Windows driver to gain kernel-level access — the deepest layer of the operating system — and forcibly shut down security processes from a position the EDR agent cannot see.
Can EDR software be bypassed even when it is fully patched and updated?
Yes, and this is the structural problem GentleKiller exposes at scale. BYOVD-based EDR bypass does not require exploiting a flaw in the EDR product itself. It exploits the Windows driver signing model: a signed driver from a legitimate vendor that contains a known vulnerability can be loaded by an attacker with sufficient access, granting kernel privileges that can be used to terminate any process — including the EDR agent. Even a fully updated EDR solution is exposed if the underlying Windows system permits that vulnerable-but-signed driver to load. Microsoft's Vulnerable Driver Blocklist, actively enforced via WDAC, is the direct mitigation — but it must be deployed and kept current, not just enabled in a default-permissive state.
How can organizations protect against BYOVD attacks targeting security software?
Three controls address BYOVD specifically. First, enforce Microsoft's Vulnerable Driver Blocklist through Windows Defender Application Control to block known-vulnerable drivers from loading. Second, enable tamper protection on your EDR platform so the agent requires authenticated administrative action to stop or uninstall. Third, implement application allowlisting at the driver level so only explicitly approved drivers can execute. No single control is sufficient in isolation, but the blocklist is the highest-impact starting point: as of March 2026, ESET Research confirmed 35 distinct vulnerable drivers being actively exploited by EDR killer variants, and the blocklist directly addresses this attack surface without requiring new tooling.
Why are EDR killers becoming standard equipment in ransomware-as-a-service platforms?
Because disabling the monitoring layer is more reliable than evading it. The earlier ransomware approach — continuously modifying encryptors to bypass detection — became an arms race that behavioral analysis was winning. Killing the EDR before deploying the encryptor sidesteps that race entirely: the payload no longer needs to be sophisticated, because it runs in an environment where monitoring has already been removed. RaaS platforms like The Gentlemen are now centralizing EDR killing as a managed service, lowering the technical barrier for affiliates and making attack outcomes more consistent across their networks. The broader adoption — with groups including BlackSuit, RansomHub, Medusa, and Qilin all using EDR killer tooling by early 2025 — confirms this is now standard ransomware operational practice, not a novelty.
Disclaimer: This article is editorial commentary based on publicly reported threat intelligence and does not constitute professional security consulting advice. Security configurations referenced may vary by environment — consult a qualified cybersecurity professional for guidance specific to your organization. Research based on publicly available sources current as of June 21, 2026.