CyberSecurity

Signed Microsoft Driver Weaponized: ‘GodDamn’ Ransomware Unleashes BYOVD Attacks on US Firms

Published

on

A Signed Driver Turns Into a Weapon

A new ransomware strain dubbed GodDamn is making headlines for a particularly nasty trick: it leverages a Microsoft-signed kernel driver to disable endpoint security software before deploying its payload. The technique, known as Bring Your Own Vulnerable Driver (BYOVD), isn’t new—but the use of a legitimately signed driver makes it far harder to detect.

Security researchers at Trend Micro first spotted the campaign in late February 2025. The attackers are zeroing in on US-based organizations, including manufacturing firms, healthcare providers, and logistics companies. The goal? Disable defenses, steal data, and demand ransoms in cryptocurrency.

How BYOVD Turns a Signed Driver Into a Liability

BYOVD attacks work by exploiting a legitimate, signed kernel driver that contains a known vulnerability. In this case, the attackers use a driver signed by Microsoft that has a flaw allowing arbitrary code execution in kernel mode. Once loaded, the driver grants the ransomware the highest level of system access—ring 0—which lets it kill antivirus processes, delete backup files, and disable monitoring tools without triggering alerts.

The signed driver bypasses many security checks because the operating system trusts it. The attackers don’t need to exploit a zero-day; they just repurpose a driver that Microsoft already approved. This is the core of the BYOVD threat: the very mechanism meant to ensure trust becomes the attack vector.

Why US Companies Are in the Crosshairs

Trend Micro’s telemetry shows that GodDamn ransomware has hit at least 12 US organizations in the past month. The attackers appear to prioritize firms with weak endpoint detection and response (EDR) deployments—often smaller manufacturers or mid-sized healthcare groups that can’t afford layered security. Ransom demands range from $50,000 to $500,000, with payments directed to Bitcoin wallets.

The ransomware doesn’t just encrypt files; it exfiltrates data first. If the victim doesn’t pay, the attackers threaten to leak sensitive information on dark web forums. This double-extortion tactic has become standard in the ransomware ecosystem, but the BYOVD component gives GodDamn an edge: it can disable even the most aggressive EDR tools before they react.

The Technical Breakdown: What Happens Inside

When GodDamn infects a system, it drops a legitimate signed driver (often a known utility like aswArPot.sys or a similar driver from a security vendor) along with a loader. The loader calls the Windows service control manager to load the driver, which then communicates with the kernel. From there, the ransomware enumerates running processes and terminates anything related to security software—including antivirus engines, firewalls, and backup agents.

After clearing the defenses, GodDamn downloads its encryption module from a remote server. It uses a hybrid encryption scheme: AES-256 for file encryption and RSA-2048 for key protection. The ransomware targets over 400 file extensions, including databases, documents, and virtual machine images. It also deletes Volume Shadow Copies to prevent recovery without the decryption key.

Microsoft’s Response: A Patch and a Warning

Microsoft has since revoked the certificate used to sign the vulnerable driver and pushed a Windows Defender update that blocks the specific driver hash. The company also updated its Driver Blocklist policy to prevent the driver from loading on fully patched systems. However, the broader issue remains: any signed driver with a known vulnerability can be weaponized.

Security experts at Mandiant have urged organizations to implement driver blocklist policies proactively. They recommend using tools like Microsoft’s Driver Blocklist Policy or third-party solutions that monitor for unauthorized kernel driver loads. The key is to treat kernel-level access as a critical threat surface—even if the driver comes with a Microsoft stamp of approval.

Defending Against BYOVD Ransomware

Protecting against attacks like GodDamn requires a multi-layered approach. Here are the most effective steps security teams can take right now:

  • Enable driver blocklisting: Use Microsoft’s recommended blocklist or a third-party tool to prevent known vulnerable drivers from loading. Update the list regularly as new vulnerabilities are disclosed.
  • Deploy EDR with behavioral detection: Traditional signature-based antivirus won’t catch BYOVD. Endpoint detection and response tools that monitor for abnormal kernel driver loading can flag the attack early.
  • Restrict driver installation: Configure Windows Group Policy to only allow signed drivers from approved publishers. This won’t stop the attack entirely, but it adds friction.
  • Implement the principle of least privilege: Limit administrative rights on endpoints. BYOVD attacks often require admin-level access to load the driver, so reducing the number of privileged users reduces the attack surface.
  • Use application control: Tools like Windows Defender Application Control (WDAC) can block unauthorized executables, including driver loaders, from running.

The Bigger Picture: Trust but Verify

The GodDamn ransomware campaign is a stark reminder that digital signatures are not a guarantee of safety. Attackers are increasingly weaponizing signed drivers, and the security community is playing catch-up. Microsoft has improved its driver submission process in recent years, but the sheer volume of signed drivers makes it impossible to vet every one for latent vulnerabilities.

For now, the best defense is a healthy dose of skepticism. Treat every kernel driver—signed or not—as a potential threat. Monitor for unusual driver loading, keep blocklists updated, and assume that a signed driver can be turned against you. The attackers certainly are.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version