Close Menu
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) Instagram Threads
Ransomnews
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) LinkedIn
Ransomnews
Security

The Gentlemen weaponised a Kontron driver to kill EDR

Jesse William McGrawBy Jesse William McGrawJuly 10, 2026Updated:July 10, 2026No Comments5 Mins Read20 Views
Share Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
The Gentlemen weaponised a Kontron driver to kill EDR, ransomnews.com
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

The Gentlemen ransomware operation has weaponised a zero-day vulnerability in a legitimate Kontron driver, ktapi.sys, to gain kernel-level access and disable enterprise security tools, according to research from Expel and Kaspersky published in mid-2026. The bring-your-own-vulnerable-driver (BYOVD) tool, dubbed GentleKiller, terminates protected security processes belonging to Microsoft, ESET, Palo Alto Networks, and SentinelOne. Paired with a custom Go-based backdoor for remote control, it lets the group switch off state-of-the-art endpoint defences in seconds before deploying its locker.

The Gentlemen is one of the most active ransomware-as-a-service programs of 2026. Ransomnews profiled the operation and its leaked internal playbook in an earlier report; this piece focuses on the specific technique that makes its intrusions so hard to stop, the driver abuse that neutralises EDR at the kernel level.

What is BYOVD, and why does it work?

Bring your own vulnerable driver is an attack where an operator loads a legitimately signed but flawed kernel driver onto a target, then abuses its vulnerability to run code in the kernel. Because the driver carries a valid signature, Windows trusts it. Once in the kernel, the attacker sits below the security products running in user space and can terminate them at will. As Marcus Hutchins of Expel put it, BYOVD “continues to be a huge threat to enterprises, enabling attackers to disable state-of-the-art endpoint security systems in seconds,” and even a fully patched, mitigation-hardened Windows install “does not provide complete protection.”

What is the ktapi.sys zero-day?

ktapi.sys is part of an API developed by Kontron, an industrial-computing vendor. The Gentlemen obtained the driver and identified an exploitable flaw in it, then built GentleKiller to abuse that flaw for kernel access. The choice of a little-known third-party driver is deliberate: obscure signed drivers are less likely to appear on blocklists like Microsoft’s vulnerable-driver list, so they slip past controls that would catch better-known BYOVD tools. Expel noted it is still unclear how the actors came into possession of the file or learned of its vulnerability, which is itself a warning: the pool of abusable signed drivers is far larger than any blocklist tracks.

How does the Go backdoor fit in?

Kaspersky’s Securelist team detailed a Go-based backdoor that gives The Gentlemen remote command execution after initial reconnaissance and lateral movement through Group Policy or PsExec. The implant collects system information and exfiltrates it to an external server (81.177.215[.]15:9443) over a bidirectional TCP connection, then waits for operator instructions. If the response byte is c, it executes the command through cmd.exe; if the byte is s, it opens a SOCKS proxy connection. That SOCKS capability lets the operators pivot deeper into the network and widen their scan coverage, effectively turning a compromised host into a foothold for the rest of the intrusion.

GentleKiller: BYOVD kill chain User space Microsoft EDR ESET Palo Alto Networks SentinelOne Kernel Signed ktapi.sys (Kontron) zero-day exploited by GentleKiller kills protected processes from below Source: Expel, Kaspersky Securelist, 2026

Why does this matter beyond one group?

BYOVD has moved from a niche evasion trick to a standard part of the ransomware toolkit, and The Gentlemen’s use of a fresh zero-day in an obscure driver shows how the technique keeps outrunning defences. The uncomfortable truth for security teams is that EDR, the control most organisations treat as their last line, can be switched off by an attacker who already has administrative access and the right signed driver. This is especially dangerous in virtualised estates: the same kernel-level access that kills EDR on Windows hosts pairs naturally with the group’s interest in ESXi ransomware, where a single compromised hypervisor takes down every guest.

How do you defend against BYOVD?

The single most effective control is Microsoft’s vulnerable-driver blocklist, enabled through Windows Defender Application Control or the memory-integrity setting, which stops known-bad drivers from loading. It will not catch a genuinely novel driver like ktapi.sys on day one, so pair it with monitoring for new kernel driver loads, especially industrial-vendor drivers appearing on servers that have no reason to run them. Restrict who can load drivers by locking down administrative access, since BYOVD requires admin rights to install the driver in the first place. Watch for the behavioural tells the Kaspersky and Expel research documented: GPO or PsExec-driven lateral movement, a Go binary beaconing to an unfamiliar host, and EDR agents going silent in clusters. And keep offline backups, because once the kernel is theirs, prevention has already failed and recovery is what is left. You can track the group and its affiliates on the Ransomnews threat-group catalogue.

Frequently asked questions

What is GentleKiller?

GentleKiller is the BYOVD tool used by The Gentlemen ransomware group. It exploits a zero-day in Kontron’s ktapi.sys driver to gain kernel access and terminate protected security processes.

What is BYOVD?

Bring your own vulnerable driver is a technique where attackers load a legitimately signed but flawed kernel driver, then exploit it to run code in the kernel and disable security tools from below.

Which security products does GentleKiller target?

Researchers observed it terminating protected processes from Microsoft, ESET, Palo Alto Networks, and SentinelOne. Because it operates in the kernel, it can shut down user-space agents regardless of their own protections.

Does a patched Windows machine stop this attack?

Not fully. Expel’s Marcus Hutchins noted that even the latest Windows version with all exploit mitigations enabled does not provide complete protection against BYOVD, because the abused driver is signed and trusted.

How do I defend against BYOVD attacks?

Enable Microsoft’s vulnerable-driver blocklist, monitor for unexpected kernel driver loads, restrict administrative access so drivers cannot be installed easily, and keep offline backups for recovery.

Sources and further reading

  • Expel: analysing the zero-day exploit used by The Gentlemen to disable EDR
  • Kaspersky Securelist: The Gentlemen RaaS and its Go backdoor
  • The Hacker News: Ransomware groups turn to Citrix Bleed 2, BYOVD, and supply chain credentials
  • Ransomnews: The Gentlemen ransomware: 483 victims and a leaked playbook
  • Ransomnews: ESXi ransomware in 2026: one host, the whole datacenter
Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email Copy Link
Previous ArticleAnubis ransomware is exploiting Citrix Bleed 2 for access
Jesse William McGraw

Jesse William McGraw, also known as GhostExodus, is a former insider threat and threat actor. He became the first person in recent U.S. history to be convicted of corrupting industrial control systems. Today he focuses on threat intelligence, OSINT, and public speaking, using his knowledge to bring awareness to the security risks that organisations and individuals face.

Related Posts

FortiBleed: 75,000 cracked Fortinet firewalls, no zero-day needed

June 18, 2026

Registrų centras breach: 600,000 records exposed

May 27, 2026

RDP attacks 2026: ransomware’s #1 entry vector

May 16, 2026

Comments are closed.

Facebook X (Twitter) LinkedIn
© 2026 Ransomnews.com

Type above and press Enter to search. Press Esc to cancel.

Cookies on Ransomnews

We use strictly-necessary cookies to run the site and may use first-party analytics to understand which articles are read. Some pages contain affiliate links — when you click one, the affiliate network sets cookies on the merchant's domain to attribute the referral. See the Cookie Policy and Affiliate Disclosure for detail.

RANSOMNEWS.COM

Tracking the criminal infrastructure of the internet.

Independent coverage of ransomware, breach economics, threat actors, privacy, AI security, and the open-source investigation toolkit.

// Topics

  • News
  • Security
  • Privacy
  • Cybercrime
  • AI
  • OSINT
  • Threat Groups
  • Stealer Logs
  • Ransomtracker
  • Stealercheck
  • FortiBleed Checker

// Site

  • About Us
  • Editorial Team
  • Contact
  • Tip Line
  • Editorial

// Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Funding & Independence
  • RSS Feed
© 2026 Ransomnews.com · Tracking the criminal infrastructure of the internet.