Security researchers have identified a novel ransomware strain dubbed GodDamn that employs the PoisonX kernel driver to neutralize endpoint defenses. First detected in the wild on May 21, 2026, according to Symantec's Threat Hunter Team, the malware is believed to be a rebrand of the Beast ransomware family.

The primary threat lies in its use of a bring-your-own-vulnerable-driver (BYOVD) technique, which allows it to load a malicious kernel-mode driver co-signed by Microsoft. This driver, PoisonX, can terminate or disable security software running on compromised systems, effectively stripping away layers of defense before encryption begins. The tactic represents an evolution in ransomware capability, targeting the very tools meant to detect such attacks.

Technically, the attack chain begins with initial access, likely through phishing or exploit kits, followed by privilege escalation and driver deployment. The PoisonX driver operates at the kernel level, giving it the ability to kill processes and services tied to antivirus, EDR, and other security products. Indicators of compromise include the presence of the driver file or unexpected system service interactions.

As of now, no patches or specific workarounds have been released that directly address the driver abuse. However, Microsoft has been notified of the co-signed driver and may revoke the certificate. Organizations are advised to enable driver blocklist policies, restrict kernel driver loading, and monitor for unusual process termination patterns. Implementing application control and endpoint detection rules may help mitigate initial access.

The group behind GodDamn has not claimed responsibility publicly, but the rebranding from Beast ransomware suggests a mature threat actor. This incident underscores the growing sophistication of BYOVD attacks in the ransomware space, where trusted signed code becomes a liability.