top of page
ALL POSTS
The Gentlemen's GentleKiller: How a Standardized EDR-Killer Framework Emerged as the New Ransomware Threat
Key Findings The Gentlemen ransomware operation has developed GentleKiller, a standardized EDR-killer suite distributed to affiliates before ransomware deployment GentleKiller exists in at least eight variants, each impersonating legitimate products and exploiting different vulnerable drivers via BYOVD technique The framework targets over 400 processes across 48 security products including CrowdStrike, SentinelOne, and Microsoft Defender The Gentlemen adopts newly disclosed e
Jun 203 min read
54 EDR Killers Leverage BYOVD to Exploit 34 Signed Vulnerable Drivers and Bypass Security
Key Findings * 54 endpoint detection and response (EDR) killer tools detected * 34 unique signed vulnerable drivers exploited * Technique known as Bring Your Own Vulnerable Driver (BYOVD) widely used * Primarily targeting ransomware defense evasion * Three main categories of threat actors develop these tools * Kernel-mode privilege escalation is primary attack mechanism Background Endpoint detection and response (EDR) killer tools have emerged as a critical threat in modern c
Mar 191 min read
Wormable XMRig Campaign Leverages BYOVD and Timed Kill Switch for Stealth
Key Findings Wormable cryptojacking campaign spreads through pirated software installers Uses BYOVD (Bring Your Own Vulnerable Driver) technique to gain kernel-level access and boost mining performance Includes a time-based "kill switch" set to December 23, 2025, triggering a controlled cleanup routine Exhibits worm-like capabilities, spreading across external storage devices for lateral movement Modular design separates monitoring features from mining, persistence, and privi
Feb 232 min read
Osiris Ransomware Evolves, Leveraging BYOVD to Disarm Security Tools
Key Findings Symantec and VMware Carbon Black researchers have uncovered a new ransomware strain called Osiris, used in a November 2025 attack against a major Southeast Asian food service franchise operator. Osiris leverages the POORTRY driver in a bring-your-own-vulnerable-driver (BYOVD) attack to disable security software on targeted systems. The new ransomware has full-featured capabilities, including the ability to stop services and processes, select files and folders to
Jan 252 min read
bottom of page
