A Ransomware Strain That Kills Protections First
Most ransomware hits you with encryption and a ransom note. But a new variant called GodDamn does something far more insidious: it disables your security software before it even starts encrypting files. Researchers at Symantec say the attackers are using a malicious kernel driver — one that still carries a valid Microsoft Windows Hardware Compatibility Publisher signature — to terminate endpoint defenses from the inside.
GodDamn first surfaced in May 2026. According to Symantec’s analysis, it’s the latest chapter in a ransomware family that has been plaguing organizations since 2022. The lineage goes like this: Monster ransomware (2022) → Beast ransomware → GodDamn. All three belong to a group the researchers call Hyadina.
This isn’t just an incremental update. It’s a deliberate escalation.
How the Attack Unfolds
The attack chain starts with a remote desktop tool. Symantec’s July 9 blog post reveals that the attackers planted AnyDesk on the target machine, hiding it inside a folder named ‘Music’. From there, the tool made outbound connections to unknown IP addresses.
How did the attackers get in? The researchers aren’t sure yet. But account compromise — stolen credentials, brute force, phishing — is the usual entry point for ransomware operations.
Once inside, the attackers drop an executable disguised as a Symantec product. That executable installs PoisonX, a kernel-mode driver that terminates security processes. The driver is signed with a legitimate Microsoft Windows Hardware Compatibility Publisher signature. How the attackers obtained that signature is unclear. Symantec notes two common paths: using stolen corporate identities to sign the driver, or secretly exploiting legitimate third-party drivers.
Either way, the result is the same: the machine’s defenses go dark.
Credential Theft and Lateral Movement
With security software knocked out, the attackers deploy tools like NirSoft and Mimikatz. These are standard-issue utilities for stealing credentials, cookies, and live network traffic. The goal is to find administrator accounts and gain control over the broader network.
This phase is critical. Ransomware that only hits one machine is a nuisance. Ransomware that compromises domain controllers and encrypts entire networks is a crisis.
Finally, the Encryption
Once the attackers have enough control — over accounts, systems, and the network — they trigger GodDamn. Files are encrypted. A ransom note appears. By that point, the victim has no security software running to stop it, and the attacker already holds the keys to the kingdom.
Why This Matters: The Evolution of Defensive Evasion
What makes GodDamn notable isn’t the encryption. It’s the method. Using a signed malicious driver to kill security products is a relatively new tactic, and it’s effective.
“GodDamn’s use of the relatively newly discovered PoisonX malicious driver component represents an escalation in defensive evasion capability by this group,” the Symantec and Carbon Black threat hunter team said in their analysis. “Indicating that Hyadina is continuing to actively develop its ransomware and its capabilities.”
In other words, the Hyadina group isn’t resting. They’re iterating. And each iteration makes their attacks harder to stop.
For defenders, the lesson is clear: relying solely on endpoint detection isn’t enough anymore. Attackers are finding ways to turn those tools off. Organizations need layered defenses — network segmentation, strict application control, and monitoring for unusual driver installations — to catch this kind of attack before the ransomware fires.
Because once GodDamn runs, your security software is already dead.