When the Antivirus Dies First: Why an EDR Killer Means Nothing If a Human Is Still Watching
- Scott Pagel

- Jun 24
- 5 min read

The first thing modern ransomware does is not encrypt your files. It quietly turns off the software you bought to stop it.
And most companies do not find out until the ransom note appears.
Recent research from ESET highlights a growing threat known as EDR killer ransomware protection teams can no longer ignore. A ransomware group called The Gentlemen has developed its own framework specifically designed to disable endpoint security products before launching encryption attacks. The tool, called GentleKiller, represents a troubling evolution in ransomware operations: attackers are no longer trying to evade security software. They are trying to switch it off entirely.
For businesses that rely solely on endpoint protection, that should be an uncomfortable thought.
Because if your security strategy ends at the endpoint, what happens when the endpoint goes dark?
What an EDR Killer Actually Does
EDR killers are designed to disable endpoint detection and response tools before ransomware is deployed.
The most common technique behind these attacks is known as BYOVD, or Bring Your Own Vulnerable Driver.
In plain English, the attacker gains administrative access to a system and then loads a legitimately signed but vulnerable Windows driver. Because the driver operates at the kernel level, it provides attackers with powerful system access. From there, they can terminate security processes, disable protections, and effectively blind endpoint security software.
According to ESET's June research, the Gentlemen ransomware group uses its own framework called GentleKiller to disable security products before encryption begins. The framework targets security processes running on affected systems and systematically removes the protections organizations depend on to detect malicious activity.
The ransomware does not win because the encryption is sophisticated.
It wins because defenders are suddenly blind.
This Is Not Fringe Anymore. It Is a Product.
The most concerning aspect of the Gentlemen operation is not the malware itself.
It is the maturity of the business model behind it.
Researchers found that the group operates much like a software company. GentleKiller includes multiple variants, supports attacks against hundreds of security processes across dozens of endpoint products, receives ongoing updates, and is distributed through ransomware affiliate programs. The framework reportedly targets more than 400 security processes across approximately 48 security products. The group has also demonstrated the ability to weaponize newly disclosed driver vulnerabilities within days of public proof-of-concept releases.
ESET states that Gentlemen's "victimology is globally distributed" and that the gang targets victims across Southeast Asia, South America, and Western Europe. Third-party EDR killers such as HexKiller, ThrottleBlood, and HavocKiller are also appearing in ransomware campaigns, suggesting that disabling endpoint defenses is quickly becoming standard operating procedure.
This is no longer an advanced attacker technique.
It is becoming part of the ransomware toolkit.
Why "We Have EDR" Is No Longer the Answer
For years, organizations have been told to deploy endpoint detection and response solutions.
That advice is still correct. The problem is assuming the tool itself is the strategy.
If the endpoint agent is your last line of defense, you have exactly one line of defense. And attackers are increasingly targeting that line first.
This does not mean EDR is ineffective.
It means endpoint security should be part of a broader detection and response strategy rather than the entire strategy.
The reality is simple: Security products can fail. Agents can crash. Sensors can be disabled. Updates can break. Attackers can switch things off.
The question becomes what happens next.
What Actually Stops an EDR Killer
Telemetry the Endpoint Does Not Own
Even when attackers disable an endpoint agent, they still leave evidence behind such as:
Identity activity
Authentication events
Network connections
Privilege escalation attempts
Lateral movement
These signals exist outside the endpoint itself.
This is where XDR platforms become valuable. By correlating activity across endpoint, identity, cloud, and network sources, organizations gain visibility that survives even when a local sensor is compromised.
For a deeper look at how this works, see SafeStorz's article on XDR solutions and modern threat detection.
The endpoint may be blind.
The environment is not.
A Human Watching at 2 AM
This is the section most organizations overlook.
Technology alone does not stop an EDR killer.
People do.
When attackers attempt to disable endpoint protection, that activity itself becomes suspicious. In a managed detection and response environment, the kill attempt is treated as a detection event rather than simply a technical failure.
This is where SafeStorz's approach differs.
SafeStorz combines Cynet XDR with 24/7 CyOps MDR. That means security analysts are continuously monitoring alerts, investigating suspicious activity, and responding to threats even when internal IT teams are asleep.
If an endpoint agent is disabled at 2:00 AM, the goal is not to discover it the following morning.
The goal is to investigate it immediately.
A tool-only deployment may lose visibility.
A staffed SOC continues hunting.
That distinction often determines whether ransomware is contained or allowed to spread.
Shrinking the Blast Radius
Detection matters.
Response matters.
But resilience matters too.
The best security strategies assume attackers will occasionally get further than expected.
That is why SafeStorz focuses heavily on reducing blast radius through:
Least privilege access controls
Standardized security baselines
Patch management discipline
Vulnerability remediation
Many BYOVD attacks depend on vulnerable drivers that remain available long after security fixes have been released.
Closing those gaps reduces opportunities for attackers before they ever reach the ransomware stage.
This ties directly into a challenge SafeStorz recently discussed in this article on vulnerabilities and modern patch management.

How SafeStorz Handles This
The lesson from the Gentlemen research is not that endpoint security has failed.
The lesson is that endpoint security alone is no longer enough.
SafeStorz approaches ransomware defense as a layered detection and response problem.
That includes:
Cynet XDR visibility across endpoint, identity, network, and cloud environments
24/7 CyOps MDR monitoring and investigation
Standardized Microsoft 365 and security baselines
Private cloud infrastructure designed to limit lateral movement
Proactive vulnerability and patch management
None of these controls are designed to operate independently. They work together.
Because modern ransomware is no longer trying to sneak past security.
It is trying to disable security altogether.
For additional background, SafeStorz recently explored why businesses must move beyond traditional antivirus approaches and adopt more advanced detection strategies.
The Real Question
The question is no longer whether you have endpoint protection.
Most businesses do.
The question is what happens when that protection is targeted first.
If your current security strategy depends entirely on a tool running on a single device, attackers already know where to start.
If you're not sure whether your current endpoint security would survive being switched off, SafeStorz can review your detection and response coverage and help identify potential blind spots before attackers find them.
Contact SafeStorz to schedule a security assessment and learn how layered detection, 24/7 MDR, and infrastructure resilience work together to reduce ransomware risk.



