🟠 High  |  Source: The Hacker News


A new ransomware strain called GodDamn, believed to be a rebrand of the Beast ransomware family, uses a malicious kernel driver called PoisonX to disable endpoint security tools before encrypting systems. First observed in the wild in May 2026, it employs a Bring Your Own Vulnerable Driver (BYOVD)-style technique to operate at the kernel level, bypassing traditional defences. This approach makes it particularly dangerous as it can neutralise EDR and antivirus solutions before the payload deploys.

Security Architect’s Take: Ensure your cloud workloads and hybrid endpoints enforce kernel driver signing policies and blocklist known vulnerable drivers using tools such as Microsoft’s recommended driver blocklist or equivalent controls. Prioritise deploying tamper-protection features on EDR solutions and consider network-level detection for lateral movement patterns consistent with pre-ransomware activity.

Original advisory: GodDamn Ransomware Uses PoisonX Driver to Disable Endpoint Defenses