In recent weeks security researchers have sounded a powerful alarm: ransomware attackers are no longer just trying to evade detection—they’re attacking endpoint security tools themselves. According to a report in The Register, several ransomware crews are using “kernel-level EDR killers” to disable endpoint detection and response (EDR) solutions before they even deliver their payloads. The Register
Here’s a breakdown of the new threat landscape:
Ransomware operators—including ones behind Crypto24, Medusa, RansomHub, Qilin, and more—are using custom tools to disable EDR agents at the kernel level.
One example is a customized version of RealBlindingEDR that looks for drivers belonging to known security vendors and then disables those vendors’ kernel-level callbacks.
These attackers often already have privileged (administrator or SYSTEM) access before hitting the EDR, letting them run tools that remove or disable endpoint protection utilities.
They are also repurposing legitimate tools to do the disabling—for example software used in troubleshooting or management, but abused for their malicious ends.
The impact is serious: once EDR is disabled, detection and response become impossible or severely delayed. Lateral movement, data theft, encryption—all that follows unchecked.
Traditional approaches to endpoint security typically follow a detect-and-respond model: identify suspicious behavior, investigate, quarantine, remediate. But these newer threat techniques short-circuit that model by eliminating the detect part entirely. If the tools that report the behavior are disabled, there is no alert, no trigger, no response until the damage is done.
To defend against these threats, businesses need protection that works even when detection fails. That means moving from a reactive posture (detect, respond) to a proactive one focused on isolation, containment, and ensuring that code you don’t explicitly allow simply cannot execute or escalate privileges.
AppGuard is a commercial endpoint protection solution with over ten years of field-proven success. Unlike many EDR products, AppGuard does not rely solely on detecting threats—but instead enforces strict isolation of application behavior. If an application or process behaves outside of its allowed norms, AppGuard can contain it before it escalates or harms critical systems.
Key strengths of AppGuard include:
Prevention even when detection fails: Because it constrains what processes are allowed to do, AppGuard limits damage even if attackers try to use kernel exploits or official tools to disable security software.
Least privilege and privilege separation: By enforcing fine-grained rules, it reduces what any user or process (legitimate or malicious) can do.
Proven track record: Ten years in various sectors, protecting against advanced threats, misuse, and zero-day exploits.
Low false positives / manageable overhead: Because behavior is constrained rather than watched (and then reacted to), there tend to be fewer alerts to sort through.
If you are a business owner or in charge of security, here are steps to take immediately:
Re-evaluate your reliance on detection alone. Ask: if our EDR is disabled, what stops an attacker from doing what they want?
Introduce isolation and containment-based tools. Tools like AppGuard that don’t wait for detection to act.
Layer your defenses. Don’t replace EDR necessarily, but supplement or complement it so that if detection fails, containment holds the line.
Test your defenses. Run penetration tests or red-team exercises that simulate EDR disablement or kernel-level compromise. See whether your security posture still protects data integrity, system availability, and your ability to recover.
The new generation of ransomware attacks shows that adversaries are not just looking to slip under the radar—they’re taking out the radar. In such an environment, business protection strategies that assume detection will always work are dangerously outdated.
If you want to protect your organization from these threats, moving from a “detect and respond” mindset to one of isolation and containment isn’t optional—it’s essential. AppGuard offers that next-level protection, with real deployments over the past decade showing its effectiveness.
Call to Action
If you lead a business that cares about keeping its systems safe, let’s talk. CHIPS can show you how deploying AppGuard can prevent incidents like those described above. Don’t wait until ransomware disables your endpoint tools. Book a consultation with us at CHIPS, and let’s discuss how to move beyond detect and respond—and take action with isolation and containment.
Like this article? Please share it with others!