Cybersecurity researchers have discovered a new ransomware operation called GodDamn that uses an advanced technique to disable security software before encrypting files. According to researchers, this ransomware is not entirely new but is believed to be the latest version of the Beast ransomware family, which itself evolved from the Monster ransomware first seen in 2022. The group behind these ransomware families is being tracked under the name Hyadina.

goddamn-ransomware-security-shut-down-thumbnail

Researchers found that the attackers relied on several tools during an intrusion that took place in early June 2026. They used AnyDesk to gain remote access to the victim’s computer and deployed multiple password recovery tools based on the NirSoft toolkit. These tools were capable of collecting credentials stored in web browsers, Windows Credential Manager, email clients, Wi-Fi profiles, VNC sessions, cached domain credentials, and even live network traffic.

One of the most important parts of the attack was the use of a fake program named symantec.exe, which was designed to appear like legitimate Symantec software. Instead of providing security, the program secretly installed a kernel driver called PoisonX. The driver was then used to disable endpoint security solutions, allowing the ransomware to run without being blocked by antivirus or Endpoint Detection and Response (EDR) products.

ransomware-neon-cybersecurity-threat-concept

Security researchers explained that PoisonX is different from many drivers used in previous attacks. While many ransomware groups abuse vulnerable but legitimate drivers in Bring Your Own Vulnerable Driver (BYOVD) attacks, PoisonX appears to be a malicious driver that was successfully signed by Microsoft. Because Windows trusts properly signed drivers, the operating system loads it with high-level privileges, making it much easier for attackers to interfere with security software.

Once the PoisonX driver was active, it could terminate security-related processes and remove protections that monitor suspicious activity. This effectively blinded endpoint security products, giving the attackers enough time to continue their operation without detection. Researchers said this technique highlights how ransomware operators are increasingly targeting security tools first before launching file encryption attacks.

cybersecurity-warning-ransomware-alert

The exact method used to gain initial access to the victim’s network is still unknown. However, investigators observed suspicious activity beginning with an unusual installation of AnyDesk inside a user’s Music folder instead of the normal installation location. This suggests the attackers had already obtained access to the system before manually placing the remote access software on the compromised computer.

Researchers also noticed an unusual behavior after the ransomware encrypted files. In some attacks, encrypted files received the .God8Damn extension, while in the investigated incident the attackers renamed files using the victim organization’s name as the extension instead. The ransomware also created a ransom note named README.TXT, providing instructions for victims to contact the attackers and recover their encrypted data.

endpoint-security-dashboard-ransomware-protection

The discovery of GodDamn ransomware shows that modern ransomware groups continue to improve their techniques for bypassing security defenses. Instead of focusing only on file encryption, attackers are investing more effort into disabling antivirus and EDR solutions before the final stage of the attack. Security experts recommend keeping endpoint protection updated, enforcing multi-factor authentication, limiting remote access tools, monitoring the loading of kernel drivers, and maintaining offline backups to reduce the impact of ransomware incidents.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news