If security tools are supposed to stop attacks, why are companies still getting hit?
That question is becoming harder to ignore.
A newly analyzed ransomware operation revealed something uncomfortable for business leaders: attackers are no longer simply trying to avoid detection. They are actively turning security controls off before launching the real attack.
For organizations that depend heavily on detecting threats after they begin, this shift matters.
The latest example comes from the GentleKiller framework, a toolset used by the Gentlemen ransomware operation to disable endpoint security products before encryption begins.
This is not just another ransomware story. It is a reminder that security assumptions are changing.
So what exactly happened?
Researchers uncovered a ransomware operation called Gentlemen that provides affiliates with specialized tools designed specifically to disable endpoint detection and response, or EDR, products before deploying ransomware.
At the center of the operation is a framework called GentleKiller.
Rather than attempting to sneak around security monitoring, GentleKiller attempts to shut monitoring down altogether.
Researchers found that the framework includes multiple variants capable of targeting hundreds of security-related processes across dozens of security products. The attackers use a technique called Bring Your Own Vulnerable Driver, or BYOVD, which loads legitimate but vulnerable drivers to gain deeper system access and terminate security controls.
The concerning part is not just the sophistication.
It is the operational maturity.
Researchers observed that the ransomware operators maintain and update these EDR-killing capabilities centrally and distribute them to affiliates, making advanced defense evasion more accessible and scalable.
For businesses, this means ransomware groups are investing heavily in neutralizing security before encryption ever starts.
Useful references:
• Source coverage: https://cybersecuritynews.com/gentlekiller-ransomware-edr-processes/
• Additional analysis: https://www.bleepingcomputer.com/news/security/gentlemen-ransomware-uses-multiple-edr-killers-to-disable-defenses/
• Research overview: https://www.helpnetsecurity.com/2026/06/18/eset-gentlemen-edr-killers/
Why are attackers getting past security tools?
EDR changed the security industry by giving organizations better visibility and faster response.
But visibility is not the same thing as prevention.
Modern ransomware groups understand how security products operate. Increasingly, they build attack chains designed to disable monitoring, abuse legitimate credentials, leverage administrative tools already inside the environment, and move laterally before alerts trigger.
This is often called living off the land.
If attackers obtain elevated privileges and disable protective controls early enough, security teams can lose visibility during the most critical moments.
This creates a dangerous timing problem.
According to Verizon's 2025 Data Breach Investigations Report, ransomware appeared in 44% of all analyzed breaches globally and attacks involving vulnerability exploitation increased by 34%. Credential abuse remained one of the leading initial access methods.
Attackers are moving faster while organizations still depend on workflows that assume alerts arrive in time.
Could this happen even if we already have EDR?
That is the uncomfortable question leadership teams should ask.
Security products remain valuable and should remain part of the security stack.
But businesses should recognize that no single detection technology is immune from tampering, privilege abuse, or operational gaps.
Once attackers establish administrative control, the objective often becomes disabling logging, weakening controls, terminating services, and reducing resistance before deploying ransomware.
That creates consequences far beyond IT.
Financial damage can include incident response costs, legal expenses, recovery operations, ransom negotiations, and lost revenue.
Operational downtime can stop manufacturing, customer service, order fulfillment, and business continuity.
Reputation damage can reduce customer trust and impact future growth.
Legal and compliance exposure can trigger reporting requirements, audits, and contractual consequences.
Productivity losses can continue long after systems come back online.
IBM's 2025 Cost of a Data Breach Report found the global average cost of a breach reached approximately $4.4 million USD. Organizations that improved identification and containment reduced financial impact significantly.
Why are traditional defenses struggling?
Traditional security approaches often follow a Detect and Respond model.
The assumption is straightforward:
Detect suspicious activity.
Investigate.
Respond before damage occurs.
That approach still matters.
But ransomware groups increasingly operate at machine speed.
If encryption begins minutes after initial access, delayed response windows become costly.
If EDR processes are disabled, visibility may disappear exactly when it is needed.
If attackers use legitimate credentials, alerts may never appear suspicious enough.
If lateral movement occurs before containment, blast radius expands quickly.
Detection remains necessary.
But detection alone is becoming insufficient.
What is changing in endpoint security?
Many organizations are adding a prevention-first layer focused on Isolation and Containment.
The objective changes from:
"Detect malicious execution quickly"
to:
"Reduce what can execute in the first place."
Isolation and Containment emphasizes:
• Preventing unauthorized applications from executing
• Restricting actions rather than relying entirely on classification
• Limiting attacker movement between systems
• Reducing blast radius when compromise occurs
• Preventing encryption activity before damage begins
This model assumes attackers will eventually gain access somewhere and focuses on limiting what they can do afterward.
One example of this approach is AppGuard, a proven endpoint protection solution with a 10-year track record focused on prevention through Isolation and Containment.
Rather than replacing security monitoring, prevention-focused controls work alongside detection to reduce dependence on response timing.
What Should Businesses Do Next?
Business leaders do not need to become malware analysts.
But they should challenge assumptions.
Practical actions include:
• Assume detection will fail at some point
• Add prevention layers alongside monitoring
• Reduce endpoint execution freedom wherever possible
• Test failure scenarios where EDR becomes unavailable
• Review third-party access and privileged accounts
• Segment critical systems and business operations
• Prepare and rehearse incident response plans
• Evaluate how quickly ransomware could spread internally
• Measure recovery capabilities, not just detection metrics
The goal is resilience, not perfection.
Because if attackers are building tools to turn defenses off first, businesses need strategies that continue protecting operations even when visibility disappears.
Business owners who want to better understand how prevention-first security can stop attacks before damage occurs should talk with CHIPS about how AppGuard can help prevent incidents like this through Isolation and Containment.
Like this article? Please share it with others!
