GentleKiller: How The Gentlemen RaaS Group Handed Affiliates a Ready-Made EDR Termination Kit
A May 2024 breach of The Gentlemen ransomware-as-a-service platform exposed the group's 'GentleKiller' framework — a pre-packaged tool that lets low-skill affiliates disable enterprise endpoint detection and response software at the kernel level.

A ransomware-as-a-service group called The Gentlemen gave its affiliates a pre-built framework designed to kill endpoint detection and response (EDR) software, and a breach of the group's own infrastructure in May 2024 let security researchers see exactly how it works.
What Is GentleKiller?
GentleKiller is not a single piece of malware. It is an operational toolkit. Affiliates receive pre-packaged routines, ready-made evasion logic, and a curated list of roughly 400 processes from 48 security vendors — all wrapped in a structure that needs little technical knowledge to deploy. The goal is straightforward: blind the endpoint before dropping the ransomware encryptor.
ESET researcher Jakub Souček, who analyzed the leaked platform data, explained that tools like GentleKiller expand the pool of viable affiliates. By removing the need to build bespoke evasion code, The Gentlemen can recruit operators who would otherwise lack the skill to circumvent modern endpoint defenses. More affiliates means more attacks. The economics are simple.
The 90/10 Split That Makes the Model Attractive
The Gentlemen operates on an unusually generous revenue-sharing arrangement. Affiliates keep 90 percent of each ransom payment; the platform takes 10 percent. Compare that with the more typical 70/30 or 80/20 splits seen across the broader RaaS ecosystem — the Verizon 2024 Data Breach Investigations Report notes that ransomware is present in 23 percent of all breaches, fueled in large part by the professionalization of exactly these affiliate models. A 90/10 cut lowers the financial friction for joining, while GentleKiller lowers the technical friction. Together they form a recruitment funnel.
Bring Your Own Vulnerable Driver: The Technical Core
At the heart of GentleKiller is a technique security teams have been watching since at least 2022: Bring Your Own Vulnerable Driver, or BYOVD. The attacker loads a legitimate but outdated driver — one that carries an unpatched kernel-level vulnerability — and exploits it to gain ring-0 privileges. From there, the code can directly target and terminate EDR processes that would otherwise be untouchable from user space.
What makes BYOVD particularly stubborn is that the drivers involved are often still signed by their original vendors and may be permitted by default driver policies. Blocking them is not as simple as flagging unknown software. The National Vulnerability Database tracks dozens of driver CVEs that have been weaponized this way; searching for 'BYOVD' across recent CVE entries illustrates the scope of the problem.
Souček's remediation guidance is specific: organizations should implement Hypervisor-Protected Code Integrity (HVCI) and Kernel-mode Code Integrity (KMCI). HVCI, in particular, runs the code integrity checks inside a hardware-isolated hypervisor environment, making it significantly harder for a loaded vulnerable driver to tamper with kernel memory. Microsoft's own documentation on HVCI describes it as a hardware-dependent feature, meaning older infrastructure may need hardware upgrades before it can be enforced broadly.
Why the May Breach Matters Beyond Intelligence
When The Gentlemen's platform was breached in May 2024, it handed defenders something rare: an inside look at how a mature RaaS operation packages and distributes offensive tooling. The breach was an intelligence windfall, but it also confirmed a troubling trend. EDR evasion is no longer reserved for nation-state actors or elite criminal groups. It is being productized, versioned, and distributed through affiliate networks the same way legitimate software companies distribute SDKs.
This industrialization is the real story. GentleKiller covering 400 processes across 48 vendors is not accidental. It reflects sustained engineering investment. Someone audited the most widely deployed endpoint products, mapped their process names, and built suppression routines for each one. That level of preparation indicates a professionalized operation — not opportunistic hacking.
Which Controls Failed — and What Defenders Must Learn
GentleKiller exposes a layered control failure, not a single gap. First, driver allowlisting is rarely enforced with precision in enterprise environments. Organizations that have not configured Windows Defender Application Control (WDAC) with an explicit deny list for known-vulnerable drivers are leaving the door open to BYOVD. The Microsoft Recommended Driver Block List, updated periodically, exists precisely for this purpose and costs nothing to deploy.
Second, the affiliate model itself exploits a human-layer vulnerability. Ransomware affiliates are often recruited through dark-web forums using phishing, social engineering, or insider recruitment tactics. Initial access — the step that precedes any EDR killer deployment — almost always involves a human making a mistake: clicking a phishing link, reusing credentials, or misconfiguring a remote access service. Security awareness training directly addresses that initial foothold. When employees across finance, IT, and operations understand how ransomware affiliates gain entry, the attacker's first step becomes harder. Train2Secure's phishing simulation and awareness modules are built around exactly these real-world affiliate attack chains, not hypothetical scenarios.
Third, EDR alone is not a complete defense posture. The entire premise of GentleKiller is that EDR can be neutralized if the attacker reaches the kernel first. Organizations that treat their EDR subscription as a ceiling rather than a floor are structurally exposed. Segmentation, privileged access workstations, least-privilege driver policies, and HVCI collectively make the kernel harder to reach — and those controls are documented in NIST SP 800-53 under system and communications protection and configuration management families.
Immediate Steps for Security Teams
The actions are not exotic. Enforce HVCI on all hardware that supports it. Apply the Microsoft Recommended Driver Block List via WDAC policy. Audit which signed drivers are present in your environment against current CVE records at the NVD. Restrict who can load drivers at all — standard users should never be able to load a kernel driver under any normal operating scenario. Review your EDR vendor's tamper-protection settings; most enterprise EDR platforms have an explicit anti-tampering mode that must be actively enabled, not just installed.
Finally, revisit detection logic. If GentleKiller targets 400 known process names, behavioral detection that watches for mass process termination events — especially targeting security tool processes in a short time window — should be a high-priority alert, not a low-fidelity noise source. Tune that rule. Escalate it. Make it a P1.
The Gentlemen may be disrupted for now. Their platform model, and the tools they shipped, will persist in copies, forks, and copycat groups. GentleKiller is a design pattern, not just a specific file. Defenders who understand the pattern are better positioned than those who only hunt the hash.
How your team can close the human-layer gap ransomware affiliates exploit
- Run phishing simulations mapped to the social-engineering tactics ransomware affiliates use for initial access — credential theft, malicious macros, and fake IT helpdesk lures.
- Train employees in finance, IT operations, and remote-access roles to recognize the early signs of a compromised environment, including unexpected driver installation alerts.
- Align your security awareness curriculum with NIST SP 800-53 controls so your training program directly supports your compliance posture.
Train2Secure's awareness modules are built around real RaaS attack chains, not generic scenarios, so your team learns to recognize the specific tactics groups like The Gentlemen rely on for first access.
Start free — no card requiredSources & further reading
- https://nvd.nist.gov/vuln/detail/CVE-2024-26229
- https://www.microsoft.com/en-us/security/blog/2023/10/03/microsoft-blocks-vulnerable-drivers-to-protect-against-bring-your-own-vulnerable-driver-attacks/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- https://www.verizon.com/business/resources/reports/dbir/
Frequently asked questions
What is GentleKiller and how does it work?
GentleKiller is an EDR killer framework distributed by The Gentlemen ransomware-as-a-service group. It uses the Bring Your Own Vulnerable Driver (BYOVD) technique to load a signed but outdated driver, gain kernel-level privileges, and then terminate endpoint detection and response processes before the ransomware encryptor is deployed. The toolkit includes suppression routines for approximately 400 processes across 48 security vendors.
What is the Bring Your Own Vulnerable Driver (BYOVD) technique?
BYOVD is an attack method in which a threat actor loads a legitimate but unpatched driver that contains a known vulnerability. Because the driver is signed, it may pass default allowlisting checks. Once loaded, the attacker exploits the driver's vulnerability to execute code at the kernel level, bypassing user-space security controls including most EDR platforms.
How can organizations defend against BYOVD-based EDR killers?
Key defenses include enabling Hypervisor-Protected Code Integrity (HVCI) on supported hardware, deploying Microsoft's Recommended Driver Block List via Windows Defender Application Control (WDAC), restricting driver loading to privileged administrative accounts, and enabling tamper protection in your EDR platform. Organizations should also monitor for mass security-process termination events as a high-priority behavioral alert.
Why does The Gentlemen's 90/10 revenue split matter to defenders?
A 90 percent affiliate payout is unusually generous in the RaaS market and dramatically lowers the financial barrier to joining the program. Paired with GentleKiller's technical simplicity, it means The Gentlemen can recruit a much larger and less-skilled affiliate base, increasing the volume and geographic spread of ransomware attacks. Understanding the affiliate recruitment model helps defenders anticipate the initial-access tactics those affiliates will use.

