Title: Emergence of the GodDamn Ransomware: A Disconcerting Evolution in Cyber Threats
Cybersecurity experts have identified a newly emerging ransomware family known as GodDamn, which employs an innovative strategy to circumvent security measures. Notably, it utilizes the PoisonX kernel driver, designed to disable protective software, marking a significant development in ransomware tactics.
Recent analyses from the Threat Hunter Team at Symantec indicate that GodDamn first appeared on May 21, 2026. Analysts believe it is a rebranding of the earlier Beast ransomware, which itself was an upgrade from the Monster ransomware, introduced in March 2022. The evolution of these ransomware variants suggests that the group behind them, referred to as Hyadina, is continuously enhancing their malicious capabilities.
In an alarming incident in early June 2026, attackers using the GodDamn ransomware operation executed an infiltration strategy leveraging AnyDesk for remote access. They incorporated a NirSoft-based credential harvesting toolkit to collect sensitive information prior to deploying the ransomware. The initial access method remains undetermined, but this credential harvester is particularly advanced, extracting crucial data from an array of sources, including web browsers, the Windows Credential Manager, cached domain credentials, VNC sessions, email clients, Wi-Fi profiles, and live network traffic.
Furthermore, during these attacks, the perpetrators employed a user-mode evasion tool disguised as a legitimate Symantec product, labeled “symantec.exe.” The use of the PoisonX kernel driver (identified as “g11.sys”) marks a sophisticated approach to disabling endpoint defenses. This tactic, referred to as a "bring your own vulnerable driver" (BYOVD) attack, allows attackers to exploit legitimate drivers signed by Microsoft, thereby granting them greater access to the victim’s system.
According to the Symantec Threat Hunter Team’s report shared with The Hacker News, the PoisonX driver presents a rather unique challenge. It has successfully been signed by Microsoft, enabling its utilization by ransomware attackers to bypass conventional security measures effectively.
The implications of this are dire. Notably, PoisonX constitutes one of eight drivers used by the operators of The Gentlemen ransomware-as-a-service (RaaS) scheme within its custom GentleKiller tool, distributed to affiliates for neutralizing system defenses before executing the encryption process. Broadcom highlighted that vulnerable drivers represent the most reliable access point for attackers, allowing them to gain administrative privileges and deploy flawed yet validly signed drivers onto target machines.
The hijacking of these signed drivers can lead to various malicious actions such as terminating the processes associated with antivirus or endpoint detection and response (EDR) software, effectively stripping machines of their protective measures. Some attackers may opt for subtler tactics, including undermining the functionality of security agents or tampering with critical kernel records, ultimately rendering the security products ineffective.
The deployment tactics utilized in this ransomware attack further demonstrate its complexity. Through the use of PsExec, a tool designed for executing processes on remote systems, attackers orchestrated lateral movement across networks. Once access was gained, AnyDesk was installed on all reachable hosts, configured to commence as an auto-start service, ensuring persistence after system reboots. Evidence points to some machines having their AnyDesk installations executed via a pre-staged PowerShell script, suggesting the implementation of a reusable installer to facilitate the process.
Symantec reported that the initial setup of AnyDesk on the compromised hosts culminated in a shutdown of the running process, followed by a system restart. By June 2, this methodology had been replicated across at least ten machines within the targeted organization’s network.
Interestingly, the GodDamn ransomware was identified on a different network segment on June 3, affecting a separate organizational unit. This intrusion was characterized by an unusual naming convention for encrypted files, adopting the victim’s name as the extension in place of the traditional “.God8Damn” suffix.
A report from CYFIRMA indicated that the ransom note circulated post-intrusion directed victims to communicate with the attackers either through email or the qTox encrypted messaging application.
The emergence of the GodDamn ransomware, with its innovative use of the PoisonX malicious driver, exemplifies a worrying escalation in evasion capabilities. This development underscores the need for continuous advancements in cybersecurity measures to counteract the evolving threats posed by groups like Hyadina, which are firmly bent on refining their ransomware tactics and capabilities. The cybersecurity landscape is facing a critical juncture, with the potential for increasingly sophisticated attacks necessitating vigilance and prompt action to safeguard sensitive information across networks.
