GodDamn ransomware uses a Microsoft-signed malicious driver to disable defenses
Symantec detailed GodDamn, a ransomware operation that disables endpoint defenses using PoisonX, a malicious kernel driver its developers managed to get signed by Microsoft, an unusual escalation over the more common tactic of abusing a legitimate vulnerable driver. In an early-June attack, the operators used AnyDesk for remote access and a credential-harvesting toolkit that pulls passwords from browsers, Windows Credential Manager, cached domain credentials, email clients, and network traffic, before deploying the ransomware. Alongside the signed driver, they ran a user-mode tool disguised as a Symantec product to blind security software. Symantec links GodDamn to a developer it tracks as Hyadina and says the group is actively improving its defense-evasion capabilities.
- Check
- Watch for bring-your-own-driver activity and processes masquerading as security products, audit remote-access tools like AnyDesk in your environment, and monitor for credential-harvesting across browsers and Windows credential stores.
- Affected
- Windows organizations where attackers gain a foothold; GodDamn uses a Microsoft-signed malicious driver to switch off endpoint defenses, harvests credentials broadly, then encrypts systems, making detection before deployment much harder.
- Fix
- Enable driver block lists and tamper protection, restrict who can load kernel drivers, tightly control remote-access software, enforce phishing-resistant MFA, and keep monitored offline backups so encryption stays recoverable.