GodDamn Ransomware Exploits PoisonX Driver to Evade EDR

GodDamn ransomware uses PoisonX driver to kill endpoint defences

GodDamn ransomware has emerged as a new threat, leveraging the PoisonX kernel driver to disable endpoint security defences. This development, reported by Symantec, highlights an alarming evolution in ransomware attack techniques, particularly their focus on bypassing EDR (Endpoint Detection and Response) tools. The GodDamn ransomware was first observed in the wild on 21 May 2026, and evidence suggests it is a rebrand of the previously known Beast ransomware.

GodDamn Ransomware: Timeline and Discovery

The first public detection of GodDamn ransomware occurred on 21 May 2026. Security analysts from Symantec’s Threat Hunter Team noted that the malware’s code and operational tactics closely resemble those of the Beast ransomware, which has targeted organisations globally in recent years. GodDamn’s distinguishing feature is its use of the PoisonX kernel driver, a sophisticated tool designed to neutralise security applications at the system level.

GodDamn’s initial infections were found across several small and medium-sized businesses (SMBs), with a primary focus on Windows environments. The timing and the pattern of deployment indicate an ongoing campaign, with attackers actively seeking to evade advanced security solutions deployed by modern organisations.

How the PoisonX Driver Enables Endpoint Security Bypass

The standout tactic in the GodDamn ransomware campaign is the abuse of a vulnerable or malicious kernel-mode driver, named PoisonX. Once deployed, PoisonX operates with high privileges in the Windows operating system. This allows it to directly interact with core system functions and, crucially, to disable or tamper with endpoint security solutions such as antivirus and EDR tools.

  • Driver Loading: GodDamn drops and loads the PoisonX driver early in its execution, typically by exploiting Windows driver signature enforcement weaknesses.
  • EDR Termination: The driver scans for running processes associated with known security software and forcibly terminates them, often bypassing self-protection mechanisms that would otherwise prevent such action from user-mode malware.
  • Persistence and Payload Delivery: With endpoint defences disabled, GodDamn proceeds to deliver its ransomware payload, encrypting files and demanding payment from victims.

This method reflects a growing trend in ransomware operations, where threat actors increasingly target the kernel layer to undermine security. PoisonX’s success lies in its ability to operate below the level of most EDR controls, making it particularly effective against legacy and misconfigured systems.

Affected Products and Attack Surface

The GodDamn ransomware attacks have primarily impacted organisations running Windows operating systems. The PoisonX driver targets a wide range of endpoint security products, including but not limited to:

  • Microsoft Defender for Endpoint
  • Symantec Endpoint Protection
  • CrowdStrike Falcon
  • SentinelOne
  • Other popular EDR and antivirus solutions

Attackers appear to focus on SMBs, which may lack robust driver-blocking policies or have endpoints with memory integrity features disabled. No specific Windows versions have been singled out, but any system that allows unsigned or vulnerable drivers to load is at risk.

Current Exploitation Status and Response

Since its discovery in May 2026, the GodDamn ransomware campaign remains active. Symantec’s researchers have observed multiple infection attempts, with evidence that attackers are adapting and refining the PoisonX driver to evade new detection techniques.

Indicators of compromise include the presence of unknown drivers with suspicious digital signatures and rapid termination of endpoint protection processes. Victims report near-total loss of security visibility before file encryption begins, underscoring the effectiveness of this approach.

Defensive Actions by Security Vendors

In response, Microsoft has updated its vulnerable driver blocklist and recommends enabling Memory Integrity (Hypervisor-protected Code Integrity, HVCI) to prevent malicious drivers from loading. EDR vendors are also enhancing self-protection and monitoring for unauthorised driver activity.

Why It Matters: Implications for Businesses

The use of PoisonX by GodDamn ransomware underscores how kernel-level attacks are now mainstream among cybercriminals. By targeting the foundation of the operating system, attackers can reliably bypass even well-configured endpoint security platforms.

This trend raises the stakes for businesses, especially those reliant on default or outdated security configurations. The sophistication of GodDamn’s approach means that even organisations with advanced EDR solutions are at risk if they do not keep pace with defensive innovations.

What Organisations Should Do Now

  • Review and enable Microsoft’s vulnerable driver blocklist on all Windows endpoints.
  • Ensure Memory Integrity (HVCI) is enabled to prevent unauthorised driver loading.
  • Validate that EDR and antivirus solutions have up-to-date self-protection modules.
  • Audit and update Windows Defender Application Control (WDAC) policies to block untrusted drivers.

Immediate attention to driver management and EDR self-protection is crucial to reducing exposure to campaigns like GodDamn.

Originally reported by thehackernews.com.

Share this bulletin

About the Author

Rob McBride Headshot - CyPro Partner and leading cyber security expert

Rob McBride

Partner

  • CISSP
  • ACA Chartered Accountant
  • MPhil
  • BSc
  • SOC 2
  • ISO 27001

Rob McBride

Rob is a Founding Partner at CyPro and a highly experienced CISO. Beginning his career with a successful tenure at Deloitte, Rob has since amassed a wealth of experience, notably serving as a cyber security advisor to the UK government and spearheading cloud security transformations for several global banks.

At CyPro, Rob leads the managed service business line, working extensively across multiple sectors including telecommunications, technology, higher education, travel, and retail. He is passionate about equipping small and medium-sized businesses (SMBs) with robust cyber security strategies to fuel their growth.

View Profile
Back to Bulletins
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call