'Gentlemen' Ransomware Abuses Vulnerable Driver to Kill Security Gear
By weaponizing the ThrottleStop.sys driver, attackers are disrupting antivirus and endpoint detection and response (EDR) systems.
Stay informed on the latest in Endpoint Detection & Response (EDR): Expert insights, attack prevention, and advanced threat management solutions.
Search across headline titles and summaries.
Background for this topic.
Endpoint Detection and Response (EDR) is software that records endpoint activity—such as process launches, file changes, scripts, logins, and network connections—to detect suspicious behavior and support investigation. It can alert analysts, trace an intrusion across affected devices, and take actions such as isolating an endpoint or terminating a process. Its purpose is to reduce attacker dwell time and limit movement after an endpoint is compromised.
EDR is most useful against techniques that evade simple antivirus signatures, but it is not a guarantee of visibility: attackers may exploit unmonitored devices, disable or tamper with an agent, or blend into legitimate administration. Effective deployment requires broad, maintained coverage; protected agents and access controls; sensible alert tuning; and retention of telemetry for threat hunting and scoping incidents. Organizations should regularly test isolation and response actions, address agent and endpoint vulnerabilities, and account for the privacy and access implications of collecting detailed user and device activity.
By weaponizing the ThrottleStop.sys driver, attackers are disrupting antivirus and endpoint detection and response (EDR) systems.
A threat actor is using a sophisticated EDR-killing malware tool in a campaign to maintain long-term, persistent access on Windows systems.