The Gentlemen Ransomware Zero-Day: Dismantling EDR Systems from the Kernel
The Gentlemen ransomware syndicate has starkly illuminated the escalating peril of an age-old Windows vulnerability involving compromised drivers. In a recent attack, the threat actors eschewed conventional user-mode evasion tactics. Instead, they descended into the system’s kernel, weaponizing a previously uncatalogued zero-day vulnerability to dismantle Endpoint Detection and Response (EDR) systems prior to unleashing their cryptographic payload.
The Anatomy of a BYOVD Attack
Emerging in the summer of 2025, The Gentlemen swiftly predicated their strategy on the Bring Your Own Vulnerable Driver (BYOVD) paradigm. This insidious technique involves smuggling a legitimate yet fatally flawed driver onto a compromised machine. Because Windows inherently trusts such components, the driver is granted elevated privileges. This subsequently empowers the assailants to exploit inherent coding errors and sabotage defensive mechanisms from within. While ESET had previously chronicled a distinct suite of EDR assassins dubbed ‘GentleKiller’ wielded by this group, Expel has now dissected a novel incursion where the ktapi.sys driver, manufactured by Kontron, was brought to bear.
The Unknown Origin of the Exploit
According to Expel’s meticulous analysis, the vulnerability festering within ktapi.sys was entirely absent from public registries of hazardous drivers at the time of the investigation. Furthermore, researchers uncovered no preceding instances of this specific driver’s exploitation prior to the publication of their report. Therefore, the most confounding enigma remains unsolved. Security experts still do not know how the extortionists originally acquired the file and discerned the fatal flaw within its logic.
Exploiting the ktapi.sys Vulnerability
The crux of the vulnerability lay in the driver’s manipulation of physical memory. Originally designed to facilitate communication between application code and hardware, ktapi.sys possessed a highly dangerous function. It allowed a user to supply a system address and map the corresponding memory segment directly into the attacker’s process space. Under specific parameters, the Windows function HalTranslateBusAddress inadvertently accepted arbitrary RAM addresses alongside legitimate hardware bus addresses. Consequently, the malicious entity gained the unfettered ability to both read and modify kernel memory.
Bypassing Windows Defenses
From this vantage point, the exploit operated with the sophistication of a masterclass in cyber warfare. The rogue code autonomously scanned the Random Access Memory and isolated the page tables of the active process. Next, it translated virtual kernel addresses into their physical counterparts. Finally, it seamlessly bypassed formidable Windows defensive bulwarks, including PatchGuard, SMAP, and SMEP. The exploit’s architects masterfully leveraged the idiosyncrasies of Win32k.sys to reroute specific system calls. Thereby, they executed desired functions with kernel-level authority without triggering an immediate system crash.
The EDR Termination Loop
Having established this covert mechanism, the attackers turned to their primary objective. They focused entirely on terminating the processes of protective security suites. The exploit invoked crucial kernel functions namely PsLookupProcessByProcessId, ObDereferenceObject, and PsTerminateProcess. This allowed them to pinpoint and ruthlessly terminate targeted processes, entirely circumventing active self-defense mechanisms. In the iteration scrutinized by Expel, the crosshairs were firmly fixed upon Microsoft Defender, ESET, Palo Alto Cortex XDR, and SentinelOne. The malicious code executed this termination loop relentlessly, ensuring the EDR solutions were rendered utterly incapable of a normal restart.
Defensive Strategies and Corporate Implications
Expel emphasizes that ktapi.sys belongs to an antiquated lineage of cross-signed drivers. In the modern iterations of Windows 11 25H2 and Windows Server 2025, Microsoft has proactively disabled automatic trust for such archaic components. Consequently, this specific ktapi.sys driver would theoretically be blocked under these regimes unless explicitly permitted by an administrator. Nevertheless, the researchers caution that a modernized Windows environment alone does not wholly eradicate the broader spectrum of BYOVD vulnerabilities.
Mitigation Recommendations
To fortify digital perimeters, Expel recommends enabling core isolation and Virtualization-Based Security (VBS). Additionally, organizations must actively block known vulnerable drivers and meticulously configure Windows Defender Application Control. This final mechanism empowers administrators to curate a whitelist of permitted drivers based on nomenclature, hash values, publisher certificates, and minimum version prerequisites. Consequently, this significantly mitigates the risk of regression to compromised, legacy components. For older systems, researchers advise incorporating ktapi.sys and its associated payload, was.exe, into detection rules. However, they caution against relying exclusively on cryptographic hashes, as adversaries frequently deploy alternate iterations of the same driver.
A Somber Conclusion for Enterprise Security
The overarching conclusion drawn from this report casts a somber shadow over enterprise security paradigms. While a contemporary EDR solution may exhibit exceptional acuity in detecting malicious maneuvers within user mode, a vulnerable driver changes the equation entirely. It provides an adversary with a subterranean passageway to a realm where the defensive product is reduced to a mere target within the kernel’s sights. For modern ransomware syndicates, this methodology is no longer an esoteric anomaly. It is a highly effective, operationalized tactic designed to paralyze a system’s defenses in mere seconds, paving the way for catastrophic encryption.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.