Full Report
Third iteration of ransomware from Hyadina developers who first launched the Monster ransomware in 2022.
Analysis Summary
# Tool/Technique: GodDamn Ransomware
## Overview
GodDamn ransomware is the third iteration of a malware lineage developed by the threat actor **Hyadina**. It is a direct rebrand of the "Beast" ransomware, which was itself a rebrand of "Monster" ransomware. This variant is notable for its use of a malicious, Microsoft-signed kernel driver to disable endpoint security products before beginning the encryption process.
## Technical Details
- **Type:** Malware family (Ransomware)
- **Platform:** Windows
- **Capabilities:** Credential harvesting, defense evasion (via BYOVD), large-scale file encryption.
- **First Seen:** May 21, 2026
## MITRE ATT&CK Mapping
- **[TA0005 - Defense Evasion]**
- **[T1068 - Exploitation for Privilege Escalation]** (Use of PoisonX driver)
- **[T1562.001 - Impair Defenses: Disable or Modify Tools]**
- **[TA0006 - Credential Access]**
- **[T1003.001 - OS Credential Dumping: LSASS Memory]**
- **[T1555 - Credentials from Password Stores]**
- **[TA0008 - Lateral Movement]**
- **[T1570 - Lateral Tool Transfer]**
- **[T1021.001 - Remote Services: Remote Desktop Protocol]**
- **[TA0040 - Impact]**
- **[T1486 - Data Encrypted for Impact]**
## Functionality
### Core Capabilities
- **File Encryption:** Encrypts local files, often appending the victim organization's name as the file extension (or the default `.God8Damn`).
- **Remote Access:** Leverages unauthorized installations of **AnyDesk** for persistent command and control.
- **Credential Harvesting:** Utilizes a custom toolkit based on NirSoft utilities and Mimikatz to dump passwords from browsers, mail clients, Wi-Fi profiles, and VNC sessions.
- **Lateral Movement:** Uses **PsExec** to propagate and execute commands across the enterprise network.
### Advanced Features
- **PoisonX Kernel Driver:** This is a malicious driver signed by the "Microsoft Windows Hardware Compatibility Publisher." It allows the ransomware to operate at the kernel level to terminate security processes (e.g., CrowdStrike Falcon) and remove user-mode API hooks.
- **Defense Evasion Wrapper:** Uses a loader (often named `symantec.exe`) designed to impersonate legitimate security software while dropping the malicious `g11.sys` driver.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `e097f3b445b63b07afacde8d6a67f0be654dd51e228a3610fb0710a1f7e29a69` (GodDamn Ransomware)
- `2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d` (PoisonX Driver - g11.sys)
- `b29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8` (Symantec.exe evasion tool)
- **File Names:** `encrypter-windows-gui-x86.exe`, `g11.sys`, `symantec.exe`, `anydesk.exe` (staged in non-standard folders like `\Music\`).
- **Network Indicators:**
- 15.235.230[.]188
- 185.229.191[.]39
- 141.95.145[.]210
- 162.19.171[.]150
- **Behavioral Indicators:** Execution of PsExec (`psexesvc.exe`), disabling of Windows Defender real-time monitoring via CMD, and unauthorized AnyDesk outbound connections.
## Associated Threat Actors
- **Hyadina** (Developers of Monster and Beast ransomware).
## Detection Methods
- **Signature-based:** Standard AV/EDR signatures for the known SHA256 hashes of the PoisonX driver and GodDamn binaries.
- **Behavioral:**
- Monitoring for the loading of unsigned or suspicious signed drivers (BYOVD).
- Alerts for administrative tools (AnyDesk, PsExec, Netscan) running from user profile directories (e.g., `\Music\`, `\Pictures\`).
- **YARA:** Target the unique IOCTL codes used by the PoisonX driver to communicate with security software interfaces.
## Mitigation Strategies
- **Driver Allowlisting:** Implement Windows Defender Application Control (WDAC) to prevent the loading of non-authorized drivers, even if signed.
- **Software Restriction:** Block unauthorized remote desktop software like AnyDesk at the firewall and endpoint level.
- **Credential Protection:** Enable LSA Protection and Credential Guard to mitigate the effectiveness of Mimikatz and other dumpers.
- **Privilege Management:** Minimize the use of local admin accounts to prevent the installation of kernel-level drivers.
## Related Tools/Techniques
- **Beast Ransomware:** The direct predecessor.
- **Monster Ransomware:** The original variant from 2022.
- **BYOVD (Bring Your Own Vulnerable Driver):** The general technique of using drivers to bypass EDR/AV security.