Most ransomware operations leave the work of disabling endpoint security software to their affiliates. The ransomware-as-a-service gang Gentlemen runs a different model. Its operators develop and maintain a set of tools for shutting down endpoint detection and response (EDR) products, then provide these tools directly to the affiliates who rent the gang’s encryptors.
An internal data leak from the group in May 2026 confirmed the arrangement and exposed the gang’s leader discussing the supply of these EDR-killer packages.
“While there have been multiple reports covering Gentlemen in recent months, they have not focused on a detailed analysis of the group’s EDR killers. Thanks to ESET’s continued incident-level visibility, we can provide a uniquely deep view into Gentlemen’s EDR-killer development practices. The internal data leak that Gentlemen suffered in May 2026 gave us more insight into the inner workings of the group,” said ESET researcher Jakub Souček. “The leak also allowed us to confirm the hypothesis we formed in February 2026: that Gentlemen operators actively develop and maintain a portfolio of EDR killers that they offer to affiliates, centered around their in-house framework, which we have named GentleKiller.”
Gentlemen emerged in late 2025 and grew into one of the five most active ransomware gangs in the first quarter of 2026. The operation offers affiliates a 90% share of ransom payments. Group-IB traced its founding to a former Qilin affiliate. The gang practices double extortion, encrypting victim data and threatening to publish it when victims decline to pay. For encryption, the operators supply a Go-based variant for Windows, Linux, and other platforms, along with a C-based variant for ESXi.
Targeting beyond the United States
Many top-tier ransomware gangs draw close to half their announced victims from the United States. Gentlemen draws its victims from a wider spread of countries, with concentrations in Southeast Asia, South America, and Western Europe. Its target list reaches countries such as Thailand, Brazil, and France.
The leaked data shows the operators sort through candidate organizations centrally and assign them to affiliates. Victim selection rests mainly on the configuration of a target’s FortiGate firewall.
An in-house framework with eight variants
The core of the suite is GentleKiller, first observed in a staging directory called GentlemenCollection. It is the most common EDR killer in Gentlemen intrusions and appears in at least eight variants, each one impersonating a different legitimate product and abusing a different vulnerable or malicious kernel driver.
The variants carry names drawn from games and security products. Across variants, the code shares strings, a process-killing loop that runs on a timer, and the same obfuscation, which points to a reused development template. The general target set spans more than 400 process names linked to 48 security products.
Gentlemen adapts newly published Bring Your Own Vulnerable Driver proofs-of-concept quickly. The operators folded two recently disclosed examples, tracked as UnknownKiller and PoisonKiller, into their tooling within days of release.
Outside tools and a shared disguise
The suite also carries three tools that Gentlemen obtained from outside sources. HexKiller had been tied to the Warlock gang. ThrottleBlood appeared in MedusaLocker and DragonForce intrusions, and Trend Micro connected it to Gentlemen in September 2025. HavocKiller surfaced publicly through Huntress on March 19, 2026, and ESET telemetry places its use in real intrusions back to at least January 23, 2026. Gentlemen acquired these tools through unknown channels and standardized them to match its own toolset.
A shared evasion layer ties the portfolio together. The operators apply it to compiled binaries, which lets them protect tools whose source code they lack. Filenames mimic well-known security vendors. The executables carry fabricated version information, invalid digital signatures copied from legitimate software, and icons taken from the impersonated products. Many samples also receive commercial packing through Enigma or Themida, recorded in a filename suffix.
What the model means for defenders
RansomHub previously built one EDR killer in-house for its affiliates. Gentlemen keeps a varied portfolio that blends original code with adapted public research. The model lowers the entry barrier for affiliates, who gain a ready-to-use way to disable defenses. The shared vendor disguises across these tools complicate attribution when a single sample turns up on its own. Understanding how GentleKiller operates gives defenders a basis for spotting current builds and the variants that Gentlemen adds next.
Download: Automating Pentest Delivery Guide
