GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes

ESET research details the Gentlemen RaaS operation and its modular EDR-killing suite, GentleKiller, which leverages BYOVD (legitimately signed but vulnerable kernel drivers) to repeatedly terminate over 400 security-related processes across 48 products before deploying ransomware; the report enumerates eight GentleKiller variants, three integrated third-party EDR killers, a Rust-based credential stealer (OxideHarvest), evidence of rapid incorporation of public PoCs, an internal operator data leak, targeted victimology, and recommended mitigations such as driver allowlisting and monitoring for anomalous driver loads and process-termination patterns.