Gentlemen ransomware with custom EDR/AV killers has become one of the most disruptive threats to global industry in mid-2026. Within its first year of independent operation, The Gentlemen group (tracked by Microsoft as Storm-2697) has claimed over 500 victims, targeting manufacturing, healthcare and financial services with a sophisticated suite of in-house and third-party security killers. This escalation, alongside a recent backend leak, offers unprecedented insight into the group’s methods and victims.
Gentlemen Ransomware Surge: Timeline and Impact
The group emerged in mid-2025 after a payment dispute within the Qilin RaaS program, quickly evolving into a full-spectrum, human-operated Ransomware-as-a-Service (RaaS) operation. By April 2026, The Gentlemen were responsible for approximately 10% of all global ransomware activity, a remarkable growth rate for any criminal enterprise.
- First appeared: July 2025, splitting from Qilin RaaS
- 500+ confirmed victims in 70+ countries by mid-2026
- Victims span manufacturing, healthcare, finance, and operational technology sectors
- 1,570+ unique victims exposed via a leaked backend database in May 2026
The group’s attacks are highly targeted and hands-on. They operate largely outside the Commonwealth of Independent States (CIS), consistent with Russian-nexus cybercriminal norms, and have developed a reputation for technical sophistication and aggressive evasion techniques.
Unique Tools: GentleKiller and BYOVD Arsenal
What sets The Gentlemen apart is their operator-maintained EDR/AV killer infrastructure, directly marketed to affiliates. The core framework, GentleKiller, includes at least eight distinct Bring Your Own Vulnerable Driver (BYOVD) variants. These tools are capable of terminating more than 400 security processes across 48 different security vendors, giving attackers a significant advantage once inside a target system.
- GentleKiller: In-house EDR/AV killer suite
- BYOVD variants: Exploit legitimate drivers with known vulnerabilities to disable security tools
- Third-party integrations: HexKiller, ThrottleBlood, and HavocKiller included in a modular evasion suite
- Go-based worm: Self-propagating encryptor using Curve25519/XChaCha20 cryptography
This combination enables The Gentlemen group to bypass even well-defended environments. The use of both proprietary and third-party evasion tools makes detection and response more challenging for defenders. Their Go-based worm is capable of lateral movement and rapid propagation across enterprise networks, further compounding the threat.
Leaked Backend Database: Unprecedented Visibility
In May 2026, a significant intelligence breakthrough occurred when the group’s internal backend system, “Rocket,” was leaked. This database contained over 3,300 internal chat messages, operator identities, victim lists, negotiation transcripts and the full toolchain.
- Victim exposure: 1,570+ unique victims confirmed
- Operator details: 9 core operators, at least 8 affiliate IDs identified
- Operational insights: Internal communication, tactics, and affiliate management structures revealed
The backend leak has enabled cybersecurity researchers to gain a detailed understanding of The Gentlemen’s inner workings. Analysts from ESET, Microsoft Threat Intelligence, Check Point, Trend Micro and Huntress have used the leaked data to improve detection and hardening recommendations for defenders worldwide.
Threat Actor Profile: Organisation and Tactics
Leadership and Structure
The Gentlemen was founded by an operator known as hastalamuerte (aliases: zeta88, tracked by PRODAFT as LARVA-368), a former affiliate leader within Qilin RaaS. This individual continues to play a hands-on role in attacks and manages the RaaS infrastructure. The group’s exclusion of CIS-based targets and use of Russian language in communications align with established Russian cybercriminal patterns.
Core Team and Affiliate Model
Analysis of the leaked Rocket.Chat database shows a core team of around nine operators and at least eight distinct affiliate groups, each with their own TOX IDs. The group is tightly organised, with clear roles for building ransomware lockers, distributing targets, and managing payouts. Affiliates are supplied with up-to-date security killers and are closely managed by the core operators.
Why This Matters for Organisations
The rapid growth and technical sophistication of The Gentlemen ransomware with custom EDR/AV killers represents a clear escalation in the ransomware landscape. The group’s ability to terminate hundreds of security products, combined with their widespread affiliate recruitment, makes them a Tier-1 threat for any organisation with valuable data or operational technology. The backend leak has provided rare visibility, but also underscores the scope and ambition of the group.
What Organisations Should Do Next
- Review the latest indicators of compromise (IoCs) from Microsoft, ESET, and other vendors related to The Gentlemen’s toolchain
- Prioritise detection for BYOVD activity and the specific driver families abused by GentleKiller
- Monitor for modular EDR killer activity and Go-based worm behaviour
- Ensure rapid patching and hardening of endpoint security controls
Staying informed on attacker tactics and making use of recent threat intelligence are essential steps in minimising risk from this fast-evolving ransomware group.
Originally reported by cybersecuritynews.com.






