If EDR is so great, why are these attacks still happening?
That is becoming a harder question for security leaders to answer.
A newly reported ransomware operation called Gentlemen is highlighting something many organizations have quietly worried about for years: attackers are not just trying to evade security tools anymore. They are actively trying to disable them before launching ransomware.
The lesson for business leaders is not that endpoint security no longer matters.
It is that relying only on detection creates risk when attackers are designing attacks specifically to remove visibility before damage begins.
So what exactly happened?
According to reporting from BleepingComputer and research from ESET, the Gentlemen ransomware operation has been developing and maintaining multiple specialized tools designed to disable Endpoint Detection and Response (EDR) products before ransomware execution.
Researchers identified a framework called GentleKiller that reportedly includes multiple variants capable of targeting hundreds of security processes across dozens of security vendors.
The attackers reportedly use a technique known as Bring Your Own Vulnerable Driver (BYOVD).
In simple terms, attackers load legitimate but vulnerable software drivers to gain elevated access inside systems and interfere with security controls.
Once defenses are weakened or disabled, ransomware execution, credential theft, lateral movement, and data encryption become significantly easier.
Researchers also observed credential theft capabilities and evidence that the operation adapts quickly by swapping techniques and tooling without rebuilding entire attack chains.
This is not a story about one ransomware group.
It reflects a broader shift in attacker strategy.
Why are attackers getting past security tools?
Modern ransomware groups understand something many organizations struggle to accept:
Detection only works if detection stays alive.
Traditional EDR approaches depend heavily on visibility, alerts, telemetry, and response actions after suspicious activity begins.
Attackers increasingly focus on removing that visibility first.
That can happen through:
• EDR bypass and tampering
• Credential abuse
• Living off the land techniques using legitimate system tools
• Delayed detection windows
• Driver exploitation and privilege escalation
• Security process termination before encryption starts
Once attackers gain enough control to disable monitoring, incident responders often discover the attack only after files are encrypted, systems fail, or customers are affected.
This trend is showing up across breach data.
IBM's Cost of a Data Breach Report found the global average cost of a breach reached $4.44 million, while extortion and ransomware incidents disclosed by attackers averaged $5.08 million in costs.
Source:
https://www.ibm.com/reports/data-breach
Verizon's 2025 Data Breach Investigations Report analyzed more than 22,000 security incidents and found credential abuse accounted for 22% of breaches while vulnerability exploitation represented 20% of initial access activity.
Source:
https://www.verizon.com/about/news/2025-data-breach-investigations-report
Those numbers reinforce an uncomfortable reality.
Attackers are becoming faster than organizations can detect and respond.
What does this mean for businesses like yours?
The impact of ransomware extends far beyond encrypted files.
Financial damage can include incident response costs, recovery expenses, lost revenue, legal fees, regulatory penalties, and customer compensation.
Operational downtime may halt production, customer service, logistics, and internal business processes.
Reputation damage can create long-term trust issues with customers, investors, and partners.
Legal and compliance exposure may trigger reporting requirements, audits, contractual consequences, and litigation.
Productivity losses can continue for weeks after systems come back online.
Many organizations discover that restoring systems is easier than restoring confidence.
Could this happen even if we already have EDR?
Yes.
That does not mean EDR has failed.
EDR remains valuable.
But attacks like Gentlemen demonstrate that endpoint visibility alone cannot be the only layer standing between attackers and critical business systems.
When attackers deliberately target detection tools, organizations need controls that continue protecting endpoints even when monitoring becomes degraded.
That is where prevention-first thinking becomes increasingly important.
Why are traditional defenses struggling?
Security models built primarily around Detect and Respond assume attackers will eventually execute something suspicious and defenders will react in time.
That assumption becomes risky when:
• Attackers move faster than human response
• Security tools are disabled first
• Legitimate credentials are abused
• Malware execution is delayed or disguised
• Endpoint visibility disappears during critical moments
The question shifts from:
"Can we detect this?"
to
"What happens if detection never gets the chance?"
What is changing in endpoint security?
Organizations are increasingly exploring security architectures focused on Isolation and Containment.
Instead of waiting for suspicious behavior and then reacting, the objective becomes preventing unauthorized actions from executing in the first place.
That means:
• Prevention before execution
• Restricting unauthorized applications
• Limiting attacker movement
• Reducing blast radius
• Preventing encryption before it starts
One example is AppGuard, a proven endpoint protection solution with a 10-year track record focused on prevention through Isolation and Containment.
Rather than depending solely on identifying threats after execution begins, this approach focuses on containing untrusted activity before it can create business impact.
The goal is resilience, not simply detection.
What Should Businesses Do Next?
Business leaders should assume detection will fail at some point and plan accordingly.
Practical actions include:
• Add prevention layers alongside detection tools
• Reduce endpoint execution freedom where possible
• Test scenarios where security tools become unavailable
• Review third-party and privileged access pathways
• Segment critical systems and sensitive assets
• Harden administrative controls and credential management
• Strengthen incident response and recovery planning
• Evaluate whether security controls still function under attack conditions
The organizations that adapt fastest are not necessarily buying more tools.
They are reducing opportunities for attackers to operate.
Final Thoughts
The Gentlemen ransomware findings are not evidence that security has stopped working.
They are evidence that attackers are changing faster than many security strategies.
Detection remains important.
But when attackers are actively targeting the systems designed to detect them, prevention through Isolation and Containment deserves a larger role in the conversation.
Business owners who want to better understand how prevention-first security can stop attacks before damage occurs should talk with CHIPS about how AppGuard can help prevent incidents like this through Isolation and Containment.
Like this article? Please share it with others!