The Attack: Disabling Defenses Before Deploying Ransomware
The Gentlemen ransomware group has built something sophisticated: a suite of EDR killers designed to disable endpoint security products before ransomware deployment. Their primary tool, dubbed GentleKiller by ESET researchers, has at least eight variants that impersonate legitimate security products and target over 400 processes from 48 security vendors including CrowdStrike, SentinelOne, Microsoft, and Sophos.
The attack pattern is methodical. Affiliates deliver the EDR killer payload, which uses BYOVD (bring your own vulnerable driver) techniques to elevate to kernel-level privileges. Once elevated, it terminates security processes, disables defenses, and clears the path for ransomware deployment. The group maintains multiple EDR killers — including external tools like HexKiller, ThrottleBlood, and HavocKiller — for redundancy and to handle cases where one tool might fail.
This is the whack-a-mole problem in its purest form. Security vendors detect a new EDR killer, push a signature update, and the evildoers swap in a different vulnerable driver or modify the payload enough to evade detection again. The researchers documented eight GentleKiller variants specifically because the framework is designed for easy driver swaps without major code changes.
Why Traditional EDR Can’t Reliably Stop This
Here’s the uncomfortable truth: an EDR killer that successfully executes has already won. These tools are specifically designed to operate at the kernel level and terminate the very processes that would detect them. By the time your EDR recognizes the threat, it’s being killed.
Detection-based security has a fundamental timing problem. The EDR killer payload lands on disk, executes, elevates privileges, and begins terminating processes — all before your security product can analyze and respond. Even with behavioral detection and machine learning, there’s a window where the attacker is operating inside your system with the explicit goal of disabling your defenses.
The industry response is to build better detection, faster analysis, and more sophisticated behavioral models. But the evildoers just keep finding new vulnerable drivers, new obfuscation techniques, and new ways to kill processes before they can respond.
How FileSure Blocks the Attack Before It Starts
FileSure Defend operates at a different layer entirely. It’s a kernel-level file system filter driver that intercepts file operations before they complete. You define which programs are authorized to write executable files to your system. Everything else gets blocked — including threats nobody has seen before.
The Gentlemen ransomware EDR killer has to write its payload to disk before it can execute. That’s not optional. It’s how Windows works. FileSure intercepts that write operation at the kernel level and blocks it based on a simple rule: this program is not authorized to write executable files.
The payload never lands. It never executes. Your EDR never gets killed. The ransomware never deploys.
Here’s a specific FileSure rule configuration that would have prevented this attack:
File name filter: *.exe, *.dll, *.sys (executable file types)
Program name filter: Block all except authorized deployment tools
Operations: Create, Write
Drive type: Hard drives, Network drives
Result: Block and alert
When an email client, browser, or remote access tool attempts to write an executable file — which is exactly how the EDR killer payload lands — FileSure blocks the operation and logs the event. The attack stops at the delivery stage, before any of the sophisticated evasion techniques matter.
This isn’t signature-based. It doesn’t need to recognize GentleKiller or any of its variants. It simply enforces the rule: unauthorized programs cannot write executable files to this system. A variant from this morning gets blocked the same way as one from five years ago.
The Upstream Intervention Advantage
The most effective security controls operate as early in the attack chain as possible. Gentlemen ransomware’s EDR killers are sophisticated, well-maintained, and specifically designed to defeat endpoint security products. But they all share one unavoidable requirement: they must write their payload to disk before executing.
FileSure blocks at that stage — before execution, before privilege escalation, before process termination, before ransomware deployment. Everything downstream in the attack chain becomes irrelevant because the first step never completes.
FileSure runs on all Windows versions from XP through Windows 11 and Server 2003 through Server 2022, including the legacy systems that modern EDR tools won’t protect. It operates with less than 2% CPU impact and works offline — no signature updates required, no cloud connection needed.
Most FileSure customers run it alongside their existing EDR. They’re complementary tools. EDR handles sophisticated threat detection and response. FileSure handles the foundational control: what’s allowed to write to your file system.
Start your free 21-day trial at bystorm.com and see FileSure block unauthorized executable writes in real time.
Source: Gentlemen ransomware uses multiple EDR killers to disable defenses
Category: Ransomware
Tags: gentlemen ransomware, edr killer, gentlekiller, byovd attack, kernel filter driver, ransomware prevention, file system security, executable write blocking
