GodDamn Ransomware Uses PoisonX Driver to Disable Defenses

GodDamn ransomware rebrand uses signed PoisonX driver to blind EDR

GodDamn Ransomware: A Sophisticated Rebrand with New Tactics

GodDamn ransomware is making headlines for its aggressive tactics and innovative use of malicious drivers. This threat, a rebrand of a ransomware family active since 2022, has evolved to use the PoisonX kernel driver to disable endpoint protection before launching an attack. The focus keyword, GodDamn ransomware, has quickly become a serious concern for organisations running Windows environments.

Researchers have confirmed that GodDamn ransomware operators are not only relying on proven techniques like credential theft and lateral movement. They now deploy a unique signed driver to blind security tools, making their attacks stealthier and more damaging than previous variants. This event has already been observed in a real-world intrusion, sparking urgent warnings across the cybersecurity community.

Detailed Timeline and Attack Chain: How GodDamn Ransomware Works

Evolution and Rebranding History

The GodDamn ransomware family is now on its third rebrand. Originally known as Beast, the malware has undergone several changes since its emergence in 2022. Its operators have adapted their tactics to bypass modern security measures, culminating in the current variant’s use of a signed, malicious kernel driver: PoisonX.

Attack Sequence

  • Initial Access: Attackers gain entry to the target environment, typically via phishing, exploitation of vulnerable services or brute-force attacks.
  • Tool Deployment: Common remote access tools and credential theft utilities are used to map out the network. Attackers prepare for lateral movement and privilege escalation.
  • Driver Deployment: A fake security tool, bundled with the signed PoisonX kernel driver, is introduced. This driver is installed with administrative privileges, leveraging its trusted signature to avoid detection.
  • Disabling Defenses: PoisonX disables endpoint protection at the kernel level, effectively neutralising many antivirus and EDR solutions. This makes it far more difficult for defenders to detect or stop the attack in progress.
  • Ransomware Execution: With security controls blinded, the GodDamn ransomware payload is launched. Files across the network are encrypted, and ransom demands are issued to victims.

Products and Versions Targeted

The GodDamn ransomware campaign specifically targets Windows environments. The PoisonX driver is designed to operate within the Windows kernel, exploiting administrative privileges to manipulate system functions. While no specific Windows versions have been named as immune, all supported and legacy Windows Server and workstation versions are at risk if endpoint protection can be disabled.

Real-World Incident: Stealthy Intrusion with High Impact

Researchers have observed GodDamn ransomware in action during a confirmed intrusion. In this event, the attackers were able to deploy the PoisonX driver inside the victim’s corporate network. Endpoint detection and response (EDR) tools were rendered ineffective, allowing the attackers to move laterally, escalate privileges and launch the ransomware payload undetected.

The intrusion demonstrates just how dangerous this approach is. By attacking the kernel itself, the threat actors bypass traditional hooks used by security software to detect and block malicious behaviour. This allowed for rapid encryption of large numbers of hosts, causing significant downtime and data loss for the victim organisation.

Exploitation Status and Tools Used

  • GodDamn ransomware is actively being used in the wild.
  • Attackers are deploying the PoisonX driver, which is signed to evade security checks.
  • The technique is effective against a range of endpoint protection products, as most rely on kernel-level hooks that PoisonX can neutralise.
  • Attackers use a combination of existing credential theft utilities and remote access tools for lateral movement, making detection even harder once endpoint protection is disabled.

Why This Matters: Escalating Threats to Windows Environments

The use of a signed malicious kernel driver marks a dangerous escalation in ransomware tactics. By disabling endpoint protection at the kernel level, GodDamn ransomware operators can evade even advanced security solutions, giving them free rein within compromised networks.

Previous ransomware families have used vulnerable or unsigned drivers, but the PoisonX driver is both malicious and signed, making it harder for systems to distinguish from legitimate drivers. This raises the bar for defenders, requiring kernel-level monitoring and robust controls around driver installation.

Immediate Actions for Organisations

  • Review and restrict the ability to install kernel drivers to only trusted administrators.
  • Monitor for suspicious driver installations and validate the legitimacy of new drivers.
  • Ensure endpoint detection solutions are updated to recognise and respond to threats even if kernel-level hooks are tampered with.

Ongoing vigilance is required, as attackers continue to find new ways to bypass security. This incident highlights the importance of monitoring for abnormal behaviour, especially around driver installations and the disabling of protection tools.

Originally reported by cybersecuritynews.com.

Share this bulletin

About the Author

Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO

Jonny Pelter

Partner

  • CIPM
  • CIPP/E
  • CISSP
  • CISM
  • CRISC
  • ISO27001
  • Prince2
  • MSc
  • BSc

Jonny Pelter

Jonny is a Founding Partner at CyPro and executive group level CISO who has worked closely with the British intelligence agencies NCSC and GCHQ.

An ex-professional rugby player and originating from KPMG and Deloitte, Jonny has a wealth of experience across numerous sectors including technology, critical national infrastructure, financial services, oil & gas, insurance, betting, pharmaceuticals and utilities.

Jonny is a leading cyber security expert in the UK, having featured on national media for his professional commentary such as BBC News, iPlayer, Telegraph and Times Radio.

View Profile
Back to Bulletins
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call