Home/ Blog/ Security news/ Article
Blog · Security news

GodDamn ransomware blinds EDR with a signed kernel driver. Detect the load, not the file.

GodDamn ransomware uses PoisonX, a kernel driver carrying a valid Microsoft signature, to disable EDR. Why signature checks fail here and what actually detects

Cracked wax seal on a smooth metal plate with faint glow from the fracture

A code signature tells you who wrote something. It has never told you whether that thing is safe to run. GodDamn, a ransomware family that Symantec's Threat Hunter Team flagged this week, is the latest reminder of the gap between those two ideas. It ships with a kernel driver named PoisonX (g11.sys) that, according to the reporting, carries a valid Microsoft signature. Windows loads it without complaint. Once it is resident in the kernel, it goes to work switching off the security software that was supposed to catch the ransomware.

We wrote in June that the endpoint detection and response (EDR) killer had become a shipped product, packaged and sold with ransomware kits. That was a user-mode tool. PoisonX is the same idea moved one privilege tier up, into the kernel, behind a signature the operating system trusts. The arms race did not change direction. It climbed the stack.

What GodDamn actually does

The mechanics are ordinary until the driver loads. Symantec, as reported by The Hacker News and Dark Reading, assesses GodDamn as a rebrand of the Beast ransomware, which itself grew out of the Delphi-based Monster family from early 2022. The developer group is tracked as Hyadina. The ransomware was first seen publicly on May 21, 2026, with a campaign following in early June.

The intrusion chain reads like most hands-on-keyboard ransomware. Operators use AnyDesk for remote access, a NirSoft-based toolkit to harvest credentials, and PsExec to move laterally. One user-mode component masquerades as symantec.exe to blend in. None of that is novel, and none of it is the point.

The point is PoisonX. Because the driver is signed, Windows accepts it into the kernel. From there it does what kernel-mode EDR killers do: it terminates the processes belonging to antivirus and EDR products, and it tampers with the kernel's internal notification records so the security product stops receiving the events it relies on. Your agent does not crash with an error. It simply goes silent, still installed, still reporting healthy, no longer seeing anything.

A signature is an identity claim, not a safety claim

This is the part worth sitting with. Code signing was built to answer one question: did this come from who it says it came from. It was never designed to answer the question defenders actually care about, which is whether the code is hostile. Those two questions only line up as long as an attacker cannot get hostile code signed. That assumption has been eroding for years. Malicious drivers pushed through Microsoft's own driver-signing programs have surfaced repeatedly since 2022, and PoisonX is the same category of problem: not a legitimate driver with a bug in it, but a driver built to do harm that nonetheless holds a signature the platform honors.

That distinction matters for how you defend against it, because the two flavors of driver abuse fail differently.

ApproachBring your own vulnerable driverSigned malicious driver (PoisonX)
What is signedA legitimate third-party driver with an exploitable flawA driver purpose-built to kill security tools
How the kill happensAttacker exploits the flaw to reach the kernelThe driver already runs in the kernel by design
Does a blocklist catch itYes, once the vulnerable driver is known and listedOnly after Microsoft revokes it and the block propagates
Reliable detection signalThe driver load plus a known-bad hashThe driver load plus the EDR going quiet
Two driver-abuse patterns and where each is caught. Source: Suriq analysis of Symantec reporting.

The vulnerable-driver route leaves a hash you can blocklist. The signed-malicious route does not give you that, at least not until the signature is revoked and the revocation reaches your fleet. In the window before that happens, and it is often a long window, the driver looks clean to every signature check you own.

Enforce the blocklist you assume is already on

Microsoft maintains a Vulnerable Driver Blocklist that stops known-bad drivers from loading. It is the right control, and most people assume it is running. On a lot of Windows Server builds it is not enforced unless memory integrity, also called hypervisor-protected code integrity (HVCI), is turned on, and HVCI is off by default in many environments. Check the actual enforcement state on your servers rather than assuming the default protects you, and turn it on where your hardware supports it.

Understand the limit, though. A blocklist is reactive by construction. It catches the driver you already know is bad. A freshly signed driver like PoisonX is not on the list on day one, so blocklist enforcement raises the floor without closing the door. That is exactly why the detection has to move off the file and onto the behavior.

Watch the load, then watch the silence

There are two moments to catch a kernel EDR killer, and you want both.

The first is the driver load itself. A new kernel-mode service or driver appearing on a server that has not changed in months is an event, not noise. We made this same point about a backdoor that moved into the Windows kernel: the detection window opens at load and closes fast. Alert on new driver and kernel-service creation, correlate it against your change records, and treat an unexplained one on a production server as an incident until proven otherwise. This is the earlier of the two signals and the one that buys you time.

The second is the silence. When PoisonX unhooks the kernel callbacks, your EDR stops sending telemetry while still appearing online. A gap in the event stream from a host that is clearly still running is itself the alarm. Build the detection that fires when an agent goes quiet, not just the one that fires when it reports something bad. An endpoint that suddenly has nothing to say is the loudest thing in your threat hunt that night.

Both of these are behavioral, host-centric signals that no signature check will ever produce, which is the whole argument for pairing endpoint prevention with monitored detection. Managed detection and response earns its keep on the second event: an analyst watching for the agent that went dark, the alert mapped to the technique rather than the file. Suriq's endpoint and cross-layer detection and its monitored response are built on that assumption, that prevention will occasionally be blinded and something still has to be watching the gap.

Assume your next EDR killer will be signed too

GodDamn is not a special case. It is where this class of attack has been heading since custom EDR killers started shipping with ransomware kits, and the signed kernel driver is the logical next rung. Plan for it. Enforce driver blocklisting where you can, alert on every new kernel driver load, and build the detection that treats a silent agent as an active incident. The signature on the driver will keep lying to you. The silence after it loads will not.

Topics

Frequently asked questions

What is the PoisonX driver in GodDamn ransomware?

PoisonX (g11.sys) is a kernel-mode driver that GodDamn ransomware loads to disable endpoint defenses. According to Symantec's reporting, it carries a valid Microsoft signature, so Windows loads it. It then terminates antivirus and EDR processes and tampers with kernel notifications so those tools stop receiving events.

How is a signed malicious driver different from a vulnerable driver attack?

A bring-your-own-vulnerable-driver attack abuses a legitimate driver that has a flaw. A signed malicious driver, like PoisonX, is built to do harm yet still holds a valid signature. The vulnerable driver can be blocklisted by hash. The signed malicious one passes signature checks until Microsoft revokes it.

Does Microsoft's Vulnerable Driver Blocklist stop PoisonX?

Not on its own. The blocklist stops known-bad drivers, but it is reactive and will not include a freshly signed driver on day one. It is also not enforced on many Windows Server builds unless memory integrity (HVCI) is turned on. Enable enforcement, but pair it with behavioral detection.

How do you detect a kernel-mode EDR killer like PoisonX?

Watch two events. First, alert on any new kernel driver or service load on a server that has not changed, and treat an unexplained one as an incident. Second, alert when an EDR agent stops sending telemetry while still showing as online. That silence is the confirmation the agent was blinded.

Who is behind GodDamn ransomware?

Symantec's Threat Hunter Team tracks the developer group as Hyadina and assesses GodDamn as a rebrand of the Beast ransomware, which grew out of the Delphi-based Monster family from early 2022. The ransomware was first seen publicly on May 21, 2026, with a campaign following in early June.

Why does a code signature not prove software is safe?

Code signing answers one question: did this come from who it claims. It was never designed to prove the code is benign. Those two only align while attackers cannot get hostile code signed. When they can, as with PoisonX, a valid signature and a malicious purpose sit in the same file.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.