Researchers at ESET have pulled apart the homegrown toolkit that one of 2026's fastest growing ransomware crews uses to blind security software before it encrypts a network. The gang, tracked as Gentlemen, does something most ransomware operations leave to their freelance partners: it builds and maintains its own suite of "EDR killers," tools designed to shut down the endpoint detection and response products that defenders rely on, and hands them to affiliates as part of the service.
Gentlemen surfaced in late 2025 and quickly climbed into the five most active ransomware operations of early 2026. It runs a classic ransomware as a service model, renting its malware to affiliates who break into victims and deploy it, then splitting the proceeds. Gentlemen sweetens the deal with an unusually generous 90% cut for affiliates and, crucially, with ready made tooling to disable defenses. According to Group-IB, the operation was founded by a figure using the handle hastalamuerte, a disgruntled former Qilin affiliate, while PRODAFT has reported that its operators previously worked with Qilin, Embargo, LockBit, Medusa, and BlackLock. Investigative reporter Brian Krebs published evidence pointing to hastalamuerte's real world identity on June 10, 2026.
What makes Gentlemen different
In most ransomware intrusions, finding a reliable way to kill EDR falls on the individual affiliate. Gentlemen flips that around. ESET says the operators actively develop an in house framework it has named GentleKiller and offer it, alongside borrowed tools, to trusted affiliates. The team first suspected this in February 2026, and an internal data leak the gang suffered in May 2026 confirmed it: in the leaked chats, the group's leader openly discussed maintaining and supplying EDR killer packages.
GentleKiller is not a single program but a family with at least eight variants. Each one disguises itself as a different legitimate product and abuses a different vulnerable or malicious Windows driver to gain the deep system access needed to terminate protected security processes, a technique known as Bring Your Own Vulnerable Driver (BYOVD). The variants impersonate names like Kaspersky, an EA anti cheat tool, and the Valorant anti cheat driver, and lean on flawed drivers from anti cheat platforms, security vendors, and clean up utilities. ESET counts more than 400 security related processes that GentleKiller tries to kill, spanning roughly 48 products from vendors including Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Bitdefender, and Kaspersky.
The gang also folds in third party EDR killers it calls HexKiller, ThrottleBlood, and HavocKiller, plus a credential stealer ESET names OxideHarvest. Whatever the origin, the tools get a shared coat of paint: commercial packers such as Enigma or Themida, fake version information, digital signatures copied from legitimate software, and matching icons, all chosen to make a malicious binary look like a trusted security product. ESET also notes that Gentlemen can turn a freshly published vulnerable driver proof of concept into a working EDR killer within days.
Who is in the crosshairs
Unlike most top tier gangs, which draw roughly half their victims from the United States, Gentlemen spreads its targeting across Southeast Asia, South America, and Western Europe, hitting countries such as Thailand, Brazil, and France. The leaked data suggests victims are picked centrally, largely based on exposed or misconfigured FortiGate firewalls rather than geography, then parcelled out to affiliates. For background on the crew, see our report on The Gentlemen's rapid run of victims, and for how driver abuse plays out in other crews, our coverage of BlackByte's vulnerable driver attacks.
What you should do
Defenders cannot patch away a gang's playbook, but several steps blunt BYOVD style EDR killers. Turn on Microsoft's vulnerable driver blocklist and keep it updated so known bad drivers cannot load. Enable tamper protection and uninstall protection in your EDR so the agent cannot be silently stopped. Watch for new or unexpected kernel drivers being dropped and loaded, and for a staging folder named GentlemenCollection, which ESET has repeatedly seen used to drop these tools. Finally, lock down internet facing FortiGate devices, since misconfigured firewalls are how many of these victims are chosen in the first place. ESET has published the full technical breakdown, including indicators, in its original report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.