New Ransomware Exploits Malicious Driver to Remove Security Protection

New Ransomware Exploits Malicious Driver to Remove Security Protection

New Ransomware Exploits Malicious Driver to Remove Security Protection

https://www.infosecurity-magazine.com/news/ransomware-removes-cybersecurity/

Publish Date: 2026-07-10 09:00:00

Source Domain: www.infosecurity-magazine.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points. The latest incarnation of a family of ransomware which has been hitting organizations since 2022 has evolved to exploit Microsoft-signed malicious drivers to prevent endpoint defenses from detecting and disrupting its attacks.

Detailed by cybersecurity researchers at Symantec, GodDamn ransomware first appeared in May 2026 and analysis of the code revealed that it is the newest iteration of Beast ransomware, itself is a rebrand of Monster ransomware which was first seen in 2022. All three forms of ransomware are part of a family which has been dubbed Hyadina.

In a blog post published on July 9, Symantec researchers said the attackers were spotted leveraging AnyDesk, a remote desktop application, which was hidden on the affected endpoint in a folder named ‘Music’ and made outbound connections to unknown IP addresses.

Researchers said it is unknown how the attackers gained initial access to the machine prior to this, but account compromise is a common starting point for ransomware attacks.

From here, the attackers used an executable file disguised as a Symantec product to drop PoisonX, a malicious kernel driver which carries a legitimate Microsoft Windows Hardware Compatibility Publisher signature into the system driver store and is used to terminate security product processes, further lowering the defenses of the system.

Read More: Why Ransomware Remains One of Cybersecurity’s Most Persistent and Costly Threats

It is not known how the signature was attained, but common methods of achieving this include usen stolen corporate identities to sign off the driver, or by attackers secretly exploiting legitimate third-party drivers.

With the defenses lowered, the attackers installed tools including NirSoft and Mimikatz, which are used to steal credentials, cookies, live network traffic and more, with the aim of finding means to gain further control over the machine and the wider network, including administrator accounts.

Finally, when enough control over accounts and systems had been gained, the attackers triggered GodDamn ransomware, encrypting the files and displaying a ransom note.

Researchers note that as the latest variant of ransomware from the Hyadina family, GodDamn demonstrates how ransomware operations continue to evolve their tools, tactics and procedures to ensure their attacks remain capable and effective.

“GodDamn’s use of the relatively newly discovered PoisonX malicious driver component represents an escalation in defensive evasion capability by this group, indicating that Hyadina is continuing to actively develop its ransomware and its capabilities,” said the Symantec and Carbon Black threat hunter team.