Is Your EDR Actually Running? How Ransomware Groups Disable It Before You Notice

by Rebecca Sutton

Most organisations that invest in endpoint detection and response expect it to be running when ransomware lands. But that assumption is increasingly wrong. The Gentlemen ransomware gang has published research, via ESET, confirming they ship an EDR killer ransomware framework to every affiliate as a standard part of the attack toolkit. Before encryption begins, the framework silences the security software that would otherwise detect and block the attack.

This is not a gap in one specific product. The GentleKiller framework targets more than 400 processes across 48 distinct security vendors, including Microsoft Defender, CrowdStrike Falcon, SentinelOne, Sophos, Palo Alto Cortex XDR, Bitdefender, and many others. The question is not whether your product is on the list. It probably is. So the question is whether you have done anything to make killing it harder.

How EDR Killer Ransomware Disables Your Security

The technique behind GentleKiller and similar EDR killer ransomware tools is called Bring Your Own Vulnerable Driver, or BYOVD. It works like this. Windows kernel drivers run at a privileged level below the software layer where most security products operate. A driver signed by a legitimate vendor carries an implicit trust from Windows, even if that driver has a known vulnerability.

An attacker loads one of these vulnerable drivers as a Windows service. Through the driver’s kernel access, they send commands to terminate the processes that make up endpoint security software. The security product often cannot stop or log what is happening before it is closed, because the attack comes from below.

GentleKiller has at least eight variants, each abusing a different driver from a different legitimate vendor. The drivers come from software made by IObit, Safetica, Zemana, and Qihoo 360. Each variant impersonates a security product with fake version information, copied digital signatures, and vendor icons to pass casual inspection. Most are also packed with commercial obfuscation tools to delay analysis.

The gang also adapts fast. According to ESET’s research, they operationalise newly disclosed BYOVD proofs of concept within days of public release. So blocklisting a specific driver after the fact is not a reliable defence.

Three Questions to Ask Your IT Team This Week

These are practical checks to run in response to EDR killer ransomware threats. None requires specialist tools or long lead times.

Is tamper protection enabled on every endpoint? Most major EDR platforms include a tamper protection setting. It blocks their own processes from being terminated by external software. Yet the setting is not always enabled by default, and it can be switched off without leaving an obvious audit trail. Confirm it is on across the entire estate, not just on devices where it was last checked.

Are you alerted if an EDR process stops? Even with tamper protection, edge cases exist. A security operations centre, or managed security provider, should receive an alert the moment a protected process terminates unexpectedly. BleepingComputer’s coverage of the Gentlemen campaign confirms that affiliates attack environments where this alert is absent or delayed. Test it deliberately in a controlled setting.

What kernel drivers are running on your systems? The vulnerable drivers GentleKiller abuses are not malicious by origin. They come from legitimate software that many businesses install. If your estate runs IObit utilities, Safetica data loss prevention, or Zemana security software, check whether the vulnerable driver versions are present. In most cases, they can be removed without removing the parent application.

What a Pen Test Should Be Checking

A traditional penetration test checks whether an attacker can get in. But EDR killer ransomware attacks add a second question: can the attacker disable your security before you detect them? A thorough red team exercise should include an attempt to kill endpoint security. The goal is to confirm whether that action triggers an alert. This is about verifying configuration, not finding a product flaw.

Specifically, the test should check three things. Kernel driver loads from unexpected sources should generate a log entry. Terminating a protected EDR process should trigger an alert to whoever monitors your estate. Tamper protection should not be disabled by a standard domain user account, even one with local administrator rights.

If your last penetration test did not cover any of these points, it is worth asking your provider to add them to the next scope.

Monitor Driver Loads as a Routine Practice

Kernel driver load monitoring is a practical way to catch EDR killer ransomware attacks early. Windows Event ID 6 (via kernel audit) and Sysmon Event ID 6 both record when a new driver is loaded. An unexpected driver appearing during a live session, with a vendor name but no valid signature, should be a high-priority alert.

The Gentlemen gang and similar operations actively select targets based on known gaps in this area. Help Net Security notes that the gang selects victims partly based on FortiGate configuration data. Businesses exposed through the FortiBleed credential leak should treat this threat category as elevated risk.

Endpoint security is an important layer of defence. But it is only useful if it is still running when the attack arrives. Checking that it is protected, monitored, and tested is the work that makes the investment worthwhile.

You may also like