The detail in this week's reporting that should hold a board's attention is not a piece of malware. It is an org chart. ESET has published research on a ransomware-as-a-service operation called The Gentlemen, and the finding underneath the technical write-up is that the operators have built something close to a product team: they develop, version, and maintain a suite of tools whose sole purpose is to turn off your endpoint protection, and they hand that suite to their affiliates ready to use. We are past the point of treating ransomware crews as gangs. The competent ones are software companies with a worse mission statement.

What the tool actually does

The framework is called GentleKiller, and ESET describes it in a report titled, with the dark humour of the trade, Killing Me Gently. It exists for one job: before the encryptor runs, blind the defences. GentleKiller ships in eight variants and goes looking for 400 processes belonging to 48 different security products — the endpoint detection and response (EDR) agents, the antivirus, the monitoring tools that are supposed to be your eyes on the host. Where it cannot kill a process by ordinary means, it reaches for a technique called bring-your-own-vulnerable-driver, or BYOVD: the attacker loads a legitimately signed but flawed kernel driver and uses it to reach into the kernel and terminate protected security processes from underneath. The operating system trusts the driver because it is properly signed. The driver is the betrayal.

Two things about the engineering are worth a board understanding in plain terms. First, the disguise is good. The samples impersonate well-known security vendors right down to copied digital certificates, icons and version strings, and are wrapped in commercial packers to frustrate analysis. A file that looks, to a glancing human or a tired analyst, like a trusted security product is in fact the thing dismantling your security. Second, the speed is the point. ESET notes the crew can operationalise a newly published proof-of-concept exploit within days of it appearing. The window between a researcher disclosing a vulnerable driver and that driver turning up in a live ransomware intrusion is now measured in days, not quarters.

Why the business model is the story

Most ransomware operations leave the messy business of disabling defences to whichever affiliate happens to be running the intrusion. The Gentlemen have done the opposite. They have centralised it, polished it, and offer it as a standard part of the affiliate package, alongside leaked or third-party killers with names like HexKiller, ThrottleBlood and HavocKiller folded into the same standardised evasion layer. ESET's own framing is that this materially lowers the barrier to entry for affiliates and makes the operation more attractive to work with.

That is a competitive strategy, and it works the way competitive strategies work. A less-skilled criminal who once could not reliably get past a modern EDR now can, because someone has built the hard part for them and made it click-to-run. The crew has been active only since March 2025 and has already claimed over 500 victims across South East Asia, South America and Western Europe — Western Europe very much including the UK. They also bundle a Rust-based credential stealer to harvest browser-stored passwords on the way through, because once the alarm is off you may as well empty the drawers too.

For boards

The instinct after reading something like this is to ask whether our EDR can stop it. That is the wrong question, and asking it is how organisations end up surprised. The entire purpose of this toolset is to switch your EDR off. So the questions worth asking your security team are different.

Do we alert when our own endpoint agent stops reporting? A silent EDR should be treated as a fire alarm, not a quiet night. Plenty of organisations only discover their protection was disabled when the ransom note arrives, because nobody was watching the watchers.

Are we blocking known-vulnerable drivers? BYOVD depends on loading a driver we should never have allowed to load. Microsoft maintains a vulnerable driver blocklist, and it can be turned on and kept current; the related class of signed pre-boot applications is mitigated through firmware revocation updates, which is the dull-but-essential patching that quietly closes this door. This week's news also carried a CERT/CC advisory on vendor-signed UEFI applications — from Acer, AMD, ASUS, Gigabyte and others — abusable for a Secure Boot bypass by the same BYOVD logic, which tells you the technique is not confined to the EDR layer.

Do attackers need local administrator to do this, and if so, how freely is local admin handed out? Loading a kernel driver requires privilege. Tight privilege management and credential hygiene are not glamorous, but they are the ground the whole attack stands on.

And the one that sits above all of them: if our endpoint protection were silently disabled tonight, what is the next layer that notices? If the honest answer is "nothing until encryption," then EDR is not a layer of your defence; it is your defence, singular, and you are one signed driver away from blind. Defence in depth exists precisely because any single control, however good, can be switched off by someone who has made switching it off their product.

The wider point

I keep coming back to the same observation when I brief boards on the ransomware economy: the adversary has professionalised faster than most of the organisations defending against it. The Gentlemen are not interesting because their EDR-killer is novel — EDR-killers are a crowded market — they are interesting because they have a roadmap, a release cadence, and a customer base. You do not out-buy that with one more tool. You meet it with layered controls, with monitoring that treats the silence of a security agent as an event, and with the unglamorous discipline of privilege management and driver hygiene. The criminals have a product team now. The question for the board is whether your defence is a product or just a purchase.