A newly observed ransomware group operating under the name GodDamn is deploying a Bring Your Own Vulnerable Driver (BYOVD) technique that exploits a Microsoft-signed kernel driver to kill security software before deploying its ransomware payload against US-based targets.
What Is BYOVD?
Bring Your Own Vulnerable Driver (BYOVD) is an increasingly common attack technique where threat actors load a legitimate but vulnerable kernel-mode driver — often one that is legitimately signed by a trusted vendor — to execute code at the kernel level. Because the driver carries a valid signature, it can bypass Secure Boot and driver signing enforcement policies.
Once loaded, attackers exploit the driver's vulnerabilities to run arbitrary code in kernel space, enabling them to:
- Terminate security processes and services
- Disable endpoint detection and response (EDR) agents
- Manipulate kernel data structures to hide processes and files
- Establish persistence invisible to user-space security tools
The GodDamn Campaign
GodDamn has been observed targeting US companies across multiple sectors. The attack chain follows a pattern familiar to ransomware incident responders but with an important wrinkle: the vulnerable driver used is Microsoft-signed, meaning it carries implicit trust on Windows systems.
Microsoft signing a driver — even inadvertently, as part of legacy or third-party driver certification — creates a trusted artifact that security tools are unlikely to flag. The GodDamn operators leverage this trust to drop and load the driver without triggering standard antivirus or EDR alerts.
Attack Chain
- Initial Access — standard phishing or exploitation of internet-facing services (specific vector not yet confirmed publicly)
- Driver Deployment — the Microsoft-signed malicious kernel driver is written to disk and loaded
- Security Tool Termination — the driver is used to kill AV/EDR processes at the kernel level, leaving the endpoint blind
- Ransomware Execution — GodDamn's ransomware payload encrypts files and drops ransom notes
- Extortion — victims are contacted with ransom demands, likely accompanied by data exfiltration threats
Why Microsoft-Signed Drivers Are a Problem
Microsoft's Windows Hardware Quality Labs (WHQL) program signs drivers to verify they are stable and compatible with Windows. However, the signing process does not guarantee the driver is free of exploitable vulnerabilities. Legitimate drivers from real vendors have been repeatedly weaponized in BYOVD attacks:
- Gmer.sys (anti-rootkit tool)
- RTCore64.sys (MSI Afterburner)
- mhyprot2.sys (MiHoYo game anti-cheat)
Microsoft has published a vulnerable driver blocklist and distributes it via Windows Defender updates, but the blocklist lags behind attacker discovery of new vulnerable drivers. The GodDamn campaign underscores that this lag creates a practical exploitation window.
Detection and Defense
Preventive Controls
| Control | Description |
|---|---|
| Enable Microsoft Vulnerable Driver Blocklist | In Windows Security → Device Security → Core isolation → Microsoft Vulnerable Driver Blocklist |
| Windows Defender Application Control (WDAC) | Block unsigned or non-allowlisted drivers |
| Attack Surface Reduction (ASR) Rules | Block driver loading from non-standard paths |
| EDR with kernel-level visibility | Solutions with their own kernel driver can detect BYOVD attempts |
| Audit driver load events | Monitor Event ID 6 (driver loaded) in Sysmon |
Detection Indicators
- Unexpected
sc.exeornet.execommands loading kernel drivers - Security service processes terminating unexpectedly (Defender, CrowdStrike, SentinelOne agents)
- Kernel driver loaded from temp directories or user-writable paths
- Sysmon Event ID 6 entries for unknown or unusual
.sysfiles
Response
If GodDamn ransomware is suspected:
- Isolate affected endpoints immediately — do not attempt local remediation on an endpoint where security tools may already be disabled
- Preserve forensic artifacts (memory dump, disk image) before any remediation
- Check adjacent systems for lateral movement before assuming the compromise is contained
- Engage incident response — the driver-based technique complicates standard IR playbooks
The BYOVD Trend
BYOVD attacks have surged in frequency since 2023. Notable users include:
- BlackByte ransomware (RTCore64.sys)
- Scattered Spider (various)
- North Korean Lazarus Group (multiple campaigns)
The technique's effectiveness stems from a fundamental Windows trust model challenge: kernel-mode drivers carry enormous privilege, and the signing infrastructure was not designed with adversarial reuse in mind. Until Microsoft's blocklist enforcement becomes both comprehensive and real-time, BYOVD will remain a go-to technique for ransomware operators seeking to disable defenses before encryption.
The GodDamn campaign is a reminder that signed does not mean safe, and that kernel-level visibility is no longer optional for enterprise security teams.