When Ransomware Can Turn Off Your EDR, Your Backups Need Their Own Detection
The ransomware-as-a-service crew known as The Gentlemen ships its affiliates a dedicated toolkit whose only purpose is to switch off endpoint protection before encryption begins. ESET documented the framework, called GentleKiller, in Killing Me Gently: Inside Gentlemen’s EDR Killer Framework. It runs at least eight variants, each abusing a different vulnerable or malicious kernel driver, and together they target more than 400 processes mapped to 48 security products.
That list spans the major endpoint detection and response (EDR) platforms most security teams rely on. Disabling security tools is an old technique. What changed is that doing it is now a maintained product, distributed to vetted affiliates and updated like any other software.
Killing EDR is now a product, not a custom job
The variants operate at the kernel level, beneath the EDR agent, where they can terminate or blind security software. The common pattern is bring-your-own-vulnerable-driver (BYOVD): load a signed but flawed driver, then borrow its privileges to kill protection. Some variants load malicious drivers outright rather than abuse legitimate ones, and ESET’s indicators of compromise include rootkit components. The operators also adopt newly published EDR-killer proofs-of-concept, including ones tracked as UnknownKiller and PoisonKiller, within days of their public release.
The framework is built to look legitimate. Variants impersonate well-known software such as Kaspersky, Valorant, FACEIT Anti-Cheat, Javelin, and WatchDog, carry invalid digital signatures copied from real executables along with matching icons and version strings, and ship under commercial packers (Enigma or Themida) to slow analysis. The Gentlemen also fold in third-party EDR killers rather than build everything themselves:
- HexKiller previously appeared in Warlock operations and abuses a Baidu Antivirus driver.
- ThrottleBlood is linked to MedusaLocker and DragonForce and abuses a TechPowerUp driver.
- HavocKiller was publicly disclosed in March 2026 but in operational use since January, and abuses a Huawei audio driver.
A separate Rust-based credential stealer, OxideHarvest, pulls saved passwords from Chromium and Firefox browsers. A May 2026 internal data leak confirmed that GentleKiller is operator-maintained, with leadership discussing how to keep the EDR-killer packages current for affiliates. MITRE catalogs disabling defenses as T1562.001, Impair Defenses: Disable or Modify Tools. The Gentlemen turned that technique into a supported feature.
When an attacker can switch the EDR agent off from kernel level, the absence of an alert stops being evidence of anything. A quiet console can mean the environment is clean, or it can mean the sensor was blinded before it could report.
What a blinded endpoint does to your recovery
ESET’s public analysis focuses on defense evasion, not backup compromise or initial access. The recovery problem is more general than one crew. Most backup hygiene quietly assumes production detection is working: that if malware were present, the EDR agent on the host would have caught it before the data was copied. An EDR killer removes that assumption.
Backups run on a schedule. If endpoint sensors are blinded during the window between compromise and detection, a scheduled job can copy the compromised state into a recovery point with no alert attached. The backup succeeds and the dashboard stays green. The copy may still carry the malware, the staged tooling, or the altered data the attacker left behind, and nothing in the production telemetry will say so.
The detection that still works in that situation is the detection that the attacker’s driver cannot reach. Inspecting the recovery points themselves, off the production host, puts the integrity verdict outside the trust path the EDR killer just compromised. Our recovery-point inspection runs outside production: Elastio inspects supported recovery points for ransomware, insider-threat encryption, and malware, so a clean point is identified by evidence rather than by an alert that may never have fired.
Disabling the EDR during the attack also erases the evidence you would use later to decide which backup is safe to restore.
"We already run EDR" is the assumption being attacked
Endpoint detection is still the front line, and nothing here argues against it. The Gentlemen built GentleKiller precisely because EDR works well enough to be worth disabling. The narrower issue is that a control an affiliate can turn off with a vulnerable driver cannot also be the thing that vouches for your recovery points after the fact. Immutability has the same limit: a locked vault preserves whatever was written to it, including a copy made while the sensors were dark.
For the next recovery review, take one tier-zero service and ask a specific question. If the EDR agents on its hosts had been disabled for the two weeks before your most recent backup, what independent evidence would tell you that recovery point is clean? If the only answer is that EDR did not alert, the plan is resting on a control the current ransomware market sells a tool to defeat.
See where your recovery stands
In a Recovery Posture Assessment, our team inspects your existing backups for ransomware and encryption with you and identifies your last known clean recovery point per critical service, independent of whatever production detection did or did not catch. Book a session and we will show you what your recovery points would reveal.
Sources
[1] ESET, Killing me gently: Inside Gentlemen’s EDR killer framework, June 2026
[2] ESET, ESET Research investigates Gentlemen ransomware gang and its defense-evasion tools, June 2026
[3] MITRE ATT&CK, T1562.001: Impair Defenses: Disable or Modify Tools
Can you prove your recovery points are clean?
Your board will ask if you can recover clean. This checklist lets you answer with evidence.
