The Gaming Boardroom

Where the gambling industry comes to think

‘Gentlemen’ Ransomware Abuses Vulnerable Driver to Kill Security Gear

Steve Tyler Free Content

‘Gentlemen’ Ransomware Abuses Vulnerable Driver to Kill Security Gear

Summary

The Gentlemen ransomware gang is weaponising a vulnerable, signed kernel driver (ThrottleStop.sys) — renamed in attacks as ThrottleBlood.sys — to disable antivirus and EDR products. Trend Micro analysis shows the group uses a bring-your-own-vulnerable-driver (BYOVD) technique together with AV‑killer binaries (All.exe and customised Allpatch2.exe) and escalation tools like PowerRun.exe to terminate security processes and clear the way for encryption.

The attackers have moved from opportunistic, generic AV-killing methods to tailored reconnaissance and customised bypasses that target specific security vendors and agent behaviours. Because the driver is legitimately signed, simple driver-signature checks and filename blocks are ineffective; defenders are advised to monitor for suspicious driver+executable combinations and hunt for the AV-killer artifacts instead.

Key Points

  • Threat actor: The Gentlemen ransomware gang, first observed in summer 2025, demonstrating rapid capability growth.
  • Primary tactic: BYOVD attack using a vulnerable signed driver (ThrottleStop.sys / ThrottleBlood.sys) to gain kernel-level control and kill security agents.
  • Artifacts to watch: All.exe (AV killer) and customised Allpatch2.exe; these may be renamed by attackers.
  • Vulnerability: CVE-2025-7771 in ThrottleStop.sys enables code execution and privilege escalation at kernel level.
  • Operational change: Group shifted from generic AV-killers to targeted reconnaissance and tailored bypasses for specific security products.
  • Defensive advice: Implement zero‑trust controls, monitor for unusual driver loads alongside unknown executables, and detect the AV-killer binaries rather than relying on blocking driver filenames.

Context and Relevance

This incident fits a growing trend: ransomware actors increasingly exploit legitimate, signed drivers to bypass endpoint defences (BYOVD). Signed drivers with exploitable flaws are attractive because operating systems typically trust them; that trust is being abused to escalate privileges and terminate protection processes. For organisations running Windows endpoints, especially those with internet-facing infrastructure or exposed VPNs, this represents a real escalation in ransomware sophistication and persistence.

Why should I read this?

Short — because if you look after Windows endpoints, this is the sort of trick that makes your AV and EDR look useless overnight. The gang is using a signed driver to go straight into the kernel and pull the plug on defences, and they’re doing it deliberately, targeting specific security products. Read this so you know what to hunt for (All.exe, Allpatch2.exe, odd driver+exe combos) and to stop chasing filenames alone.

Author style

Punchy: This is a wake-up call. The write-up highlights a swift pivot from spray-and-pray malware to surgical, reconnaissance-driven attacks that tailor themselves to the victim’s security stack. If you manage endpoints or security ops, the details matter — they tell you what to detect and what not to trust.

Source

Source: https://www.darkreading.com/vulnerabilities-threats/gentlemen-ransomware-vulnerable-driver-security-gear