The Gentlemen ransomware operation has weaponised a zero-day vulnerability in a legitimate Kontron driver, ktapi.sys, to gain kernel-level access and disable enterprise security tools, according to research from Expel and Kaspersky published in mid-2026. The bring-your-own-vulnerable-driver (BYOVD) tool, dubbed GentleKiller, terminates protected security processes belonging to Microsoft, ESET, Palo Alto Networks, and SentinelOne. Paired with a custom Go-based backdoor for remote control, it lets the group switch off state-of-the-art endpoint defences in seconds before deploying its locker.
The Gentlemen is one of the most active ransomware-as-a-service programs of 2026. Ransomnews profiled the operation and its leaked internal playbook in an earlier report; this piece focuses on the specific technique that makes its intrusions so hard to stop, the driver abuse that neutralises EDR at the kernel level.
What is BYOVD, and why does it work?
Bring your own vulnerable driver is an attack where an operator loads a legitimately signed but flawed kernel driver onto a target, then abuses its vulnerability to run code in the kernel. Because the driver carries a valid signature, Windows trusts it. Once in the kernel, the attacker sits below the security products running in user space and can terminate them at will. As Marcus Hutchins of Expel put it, BYOVD “continues to be a huge threat to enterprises, enabling attackers to disable state-of-the-art endpoint security systems in seconds,” and even a fully patched, mitigation-hardened Windows install “does not provide complete protection.”
What is the ktapi.sys zero-day?
ktapi.sys is part of an API developed by Kontron, an industrial-computing vendor. The Gentlemen obtained the driver and identified an exploitable flaw in it, then built GentleKiller to abuse that flaw for kernel access. The choice of a little-known third-party driver is deliberate: obscure signed drivers are less likely to appear on blocklists like Microsoft’s vulnerable-driver list, so they slip past controls that would catch better-known BYOVD tools. Expel noted it is still unclear how the actors came into possession of the file or learned of its vulnerability, which is itself a warning: the pool of abusable signed drivers is far larger than any blocklist tracks.
How does the Go backdoor fit in?
Kaspersky’s Securelist team detailed a Go-based backdoor that gives The Gentlemen remote command execution after initial reconnaissance and lateral movement through Group Policy or PsExec. The implant collects system information and exfiltrates it to an external server (81.177.215[.]15:9443) over a bidirectional TCP connection, then waits for operator instructions. If the response byte is c, it executes the command through cmd.exe; if the byte is s, it opens a SOCKS proxy connection. That SOCKS capability lets the operators pivot deeper into the network and widen their scan coverage, effectively turning a compromised host into a foothold for the rest of the intrusion.
Why does this matter beyond one group?
BYOVD has moved from a niche evasion trick to a standard part of the ransomware toolkit, and The Gentlemen’s use of a fresh zero-day in an obscure driver shows how the technique keeps outrunning defences. The uncomfortable truth for security teams is that EDR, the control most organisations treat as their last line, can be switched off by an attacker who already has administrative access and the right signed driver. This is especially dangerous in virtualised estates: the same kernel-level access that kills EDR on Windows hosts pairs naturally with the group’s interest in ESXi ransomware, where a single compromised hypervisor takes down every guest.
How do you defend against BYOVD?
The single most effective control is Microsoft’s vulnerable-driver blocklist, enabled through Windows Defender Application Control or the memory-integrity setting, which stops known-bad drivers from loading. It will not catch a genuinely novel driver like ktapi.sys on day one, so pair it with monitoring for new kernel driver loads, especially industrial-vendor drivers appearing on servers that have no reason to run them. Restrict who can load drivers by locking down administrative access, since BYOVD requires admin rights to install the driver in the first place. Watch for the behavioural tells the Kaspersky and Expel research documented: GPO or PsExec-driven lateral movement, a Go binary beaconing to an unfamiliar host, and EDR agents going silent in clusters. And keep offline backups, because once the kernel is theirs, prevention has already failed and recovery is what is left. You can track the group and its affiliates on the Ransomnews threat-group catalogue.
Frequently asked questions
What is GentleKiller?
GentleKiller is the BYOVD tool used by The Gentlemen ransomware group. It exploits a zero-day in Kontron’s ktapi.sys driver to gain kernel access and terminate protected security processes.
What is BYOVD?
Bring your own vulnerable driver is a technique where attackers load a legitimately signed but flawed kernel driver, then exploit it to run code in the kernel and disable security tools from below.
Which security products does GentleKiller target?
Researchers observed it terminating protected processes from Microsoft, ESET, Palo Alto Networks, and SentinelOne. Because it operates in the kernel, it can shut down user-space agents regardless of their own protections.
Does a patched Windows machine stop this attack?
Not fully. Expel’s Marcus Hutchins noted that even the latest Windows version with all exploit mitigations enabled does not provide complete protection against BYOVD, because the abused driver is signed and trusted.
How do I defend against BYOVD attacks?
Enable Microsoft’s vulnerable-driver blocklist, monitor for unexpected kernel driver loads, restrict administrative access so drivers cannot be installed easily, and keep offline backups for recovery.
Sources and further reading
- Expel: analysing the zero-day exploit used by The Gentlemen to disable EDR
- Kaspersky Securelist: The Gentlemen RaaS and its Go backdoor
- The Hacker News: Ransomware groups turn to Citrix Bleed 2, BYOVD, and supply chain credentials
- Ransomnews: The Gentlemen ransomware: 483 victims and a leaked playbook
- Ransomnews: ESXi ransomware in 2026: one host, the whole datacenter
