Full Report
Cybersecurity researchers have flagged a new ransomware family called GodDamn that employs the PoisonX kernel driver to neutralize security software as part of its defense evasion strategy. According to a new report published by the Threat Hunter Team from Symantec, the ransomware was first publicly spotted in the wild on May 21, 2026. It's assessed to be a rebrand of the Beast ransomware,
Analysis Summary
# Tool/Technique: GodDamn Ransomware
## Overview
GodDamn is a ransomware family identified in mid-2026, characterized by its use of the "PoisonX" malicious kernel driver to neutralize security software. It is a rebrand of the **Beast** ransomware, which itself evolved from the Delphi-based **Monster** ransomware. The operation is associated with the threat actor group tracked as **Hyadina**.
## Technical Details
- **Type:** Ransomware family
- **Platform:** Windows
- **Capabilities:** File encryption, defense evasion via BYOVD (Bring Your Own Vulnerable Driver), credential harvesting, and lateral movement.
- **First Seen:** May 21, 2026
## MITRE ATT&CK Mapping
- **[TA0005 - Defense Evasion]**
- [T1014 - Rootkit] (Use of PoisonX kernel driver)
- [T1027 - Obfuscated Files or Information] (Dressing tools as legitimate Symantec products)
- [T1068 - Exploitation for Privilege Escalation] (BYOVD technique)
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- **[TA0006 - Credential Access]**
- [T1555 - Credentials from Password Stores]
- **[TA0008 - Lateral Movement]**
- [T1570 - Lateral Tool Transfer] (Use of PsExec)
- **[TA0003 - Persistence]**
- [T1543.003 - Create or Modify System Process: Windows Service] (AnyDesk auto-start)
## Functionality
### Core Capabilities
- **File Encryption:** Renames files with a specific extension (e.g., `.God8Damn` or the victim's name).
- **Lateral Movement:** Utilizes **PsExec** to spread across reachable hosts within a network.
- **Persistence:** Configures **AnyDesk** as an auto-start Windows service to maintain remote access.
### Advanced Features
- **BYOVD (Bring Your Own Vulnerable Driver):** Deploys the **PoisonX** kernel driver (`g11.sys`), which is a malicious driver reportedly signed by Microsoft, to kill processes belonging to AV/EDR products.
- **Stealth Credential Harvesting:** Uses a NirSoft-based toolkit to extract data from browsers, Windows Credential Manager, VNC sessions, and email clients.
- **Defense Disruption:** Employs a user-mode tool masquerading as `symantec.exe` to assist in impairing system defenses.
## Indicators of Compromise
- **File Hashes:** [Not specified in the article; research suggests checking original Symantec/Broadcom report for SHA256 hashes]
- **File Names:**
- `g11.sys` (PoisonX driver)
- `symantec.exe` (Malicious defense evasion tool)
- `God8Damn` (Common encrypted file extension)
- **Network Indicators:**
- Use of qTox (encrypted messaging) for ransom negotiations.
- Defanged AnyDesk traffic.
- **Behavioral Indicators:**
- Execution of PowerShell scripts for bulk AnyDesk installation.
- Mass termination of security software processes via kernel-level instructions.
## Associated Threat Actors
- **Hyadina:** The developer and primary operator of the Monster/Beast/GodDamn lineage.
- **The Gentlemen (RaaS):** Known to use the same PoisonX driver in their "GentleKiller" tool.
## Detection Methods
- **Behavioral Detection:** Monitor for unauthorized loading of kernel drivers (especially those associated with BYOVD attacks) and the use of PsExec for bulk software deployment.
- **Process Monitoring:** Detect the termination of security agents (AV/EDR) and the presence of `symantec.exe` in unusual directories or with invalid certificates.
- **Script Analysis:** Watch for PowerShell scripts automating the setup of remote desktop software like AnyDesk.
## Mitigation Strategies
- **Driver Signature Enforcement:** Implement strict policies to block known vulnerable or malicious signed drivers (Microsoft's driver blocklist).
- **Principle of Least Privilege:** Limit administrator rights to prevent the loading of kernel drivers by unauthorized users.
- **Application Whitelisting:** Restrict the use of remote management tools like AnyDesk and PsExec to authorized administrative accounts only.
- **Credential Protection:** Enable Windows Defender Credential Guard to protect cached domain credentials.
## Related Tools/Techniques
- **Beast Ransomware:** The direct predecessor to GodDamn.
- **Monster Ransomware:** The original Delphi-based variant.
- **GentleKiller:** A defense evasion tool used by "The Gentlemen" RaaS that also utilizes the PoisonX driver.
- **PoisonX:** The specific malicious kernel driver used for defense evasion.