Overview
Cybersecurity researchers at Symantec's Threat Hunter Team have published findings on GodDamn, a newly identified ransomware family that employs a kernel-level driver called PoisonX to disable endpoint defenses before executing its encryption payload. The technique — known as "bring your own vulnerable driver" (BYOVD) — has become increasingly common among sophisticated ransomware operators, and GodDamn's use of a purpose-built driver marks an escalation in this arms race.
The PoisonX Driver
At the core of GodDamn's defense evasion strategy is PoisonX, a kernel-mode driver that is loaded into the Windows kernel early in the attack chain. Kernel-level code runs with the highest privilege level in the operating system, giving it the ability to:
- Terminate protected processes — including EDR agents, antivirus engines, and security monitoring tools that protect themselves from being killed in user-mode
- Blind monitoring tools — unhook security software callbacks that alert on suspicious activity
- Persist beyond user-mode defenses — operate at a level where most endpoint security products cannot intervene
Once PoisonX disables or terminates security tooling, GodDamn proceeds with standard ransomware execution: discovery, lateral movement, data exfiltration for double-extortion leverage, and finally encryption.
BYOVD Attack Pattern
Bring-your-own-vulnerable-driver attacks have surged across the ransomware ecosystem. The pattern works as follows:
- Attacker obtains a signed, vulnerable driver — often a legitimate driver from a hardware or software vendor that contains an exploitable flaw, which can be loaded by Windows since it carries a valid Microsoft signature
- Attacker loads the driver on victim system — even without the associated hardware/software, Windows will load signed drivers
- Attacker exploits the driver vulnerability — using the driver's bug to execute code in kernel context
- Kernel-level code disables security tools — at this privilege level, security products cannot stop the attacker
GodDamn's PoisonX driver appears to be a custom-developed kernel component rather than an abused legitimate vendor driver, which if confirmed would represent a more sophisticated capability requiring substantial development effort and potentially a stolen or fraudulently obtained signing certificate.
Timeline and Discovery
According to Symantec's Threat Hunter Team, GodDamn was first observed publicly prior to the July 2026 disclosure, though the exact initial detection date has not been specified. The ransomware has been seen targeting enterprise environments, consistent with a big-game-hunting operational model.
Technical Indicators
Attack Chain
Initial Access
↓
Persistence establishment
↓
PoisonX driver load (kernel-level)
↓
EDR / AV termination
↓
Internal reconnaissance
↓
Lateral movement
↓
Data exfiltration (double-extortion staging)
↓
Encryption + ransom note deployment
What to Hunt For
- Loading of unsigned or anomalously signed kernel drivers
- Sudden termination of EDR / AV processes not initiated by administrators
- Mass file encryption operations following security tool outages
- Network connections to external infrastructure following driver load events
- Kernel callback registration anomalies (for EDR platforms with kernel telemetry)
Defense Recommendations
Immediate Actions
- Enable Microsoft Vulnerable Driver Blocklist — Windows Defender Application Control (WDAC) includes a blocklist of known-vulnerable drivers. Ensure it is enforced and up to date
- Audit driver loading events — monitor for kernel driver loads (
EventID 6in Sysmon, or equivalent EDR telemetry) and alert on unknown or unexpected drivers - Enforce driver signing requirements — configure Windows to require WHQL-signed drivers, blocking unsigned or fraudulently signed kernel components
- Harden EDR agent protection — ensure your EDR vendor's tamper protection is enabled; modern EDR platforms use kernel-level self-protection that makes process termination more difficult even at elevated privileges
Strategic Hardening
- Privileged Access Workstations (PAWs) — reduce attacker reach after initial access by limiting what credentials are available for lateral movement
- Tiered AD model — separating domain controllers, servers, and workstations limits the blast radius of a ransomware event
- Immutable backup strategy — ensure backups are physically or logically isolated from the production environment so encryption cannot reach them
- Tabletop exercises — specifically simulate a scenario where your EDR goes blind mid-attack; does your team detect it and respond without the telemetry stream?
Why Kernel Drivers Matter
Endpoint security products generally operate in user-mode (Ring 3), while the kernel operates in Ring 0. A user-mode security tool fundamentally cannot stop a kernel-mode attacker — it's a structural privilege gap. Microsoft has been progressively hardening Windows against BYOVD attacks (including the Vulnerable Driver Blocklist, Kernel Data Protection, and HVCI — Hypervisor Protected Code Integrity), but attackers continue to find gaps.
Organizations should assume that sufficiently motivated ransomware operators will find a way to blind endpoint defenses and architect their security programs accordingly — with network-level detection, immutable logging, and response playbooks that don't rely solely on endpoint telemetry.
References
- The Hacker News — GodDamn Ransomware Uses PoisonX Driver to Disable Endpoint Defenses
- Symantec Threat Hunter Team — GodDamn ransomware analysis
- Microsoft — Vulnerable Driver Blocklist