
GodDamn Ransomware Uses Microsoft-Signed Kernel Driver to Blind EDR on 10 Hosts
Security researchers report Hyadina’s GodDamn ransomware escalated with PoisonX, a purpose-built, Microsoft-signed kernel driver that terminates kernel callbacks to disable endpoint detection and response across at least 10 Windows hosts before encryption begins. The attack involved AnyDesk for initial access, credential harvesting, and PsExec for lateral movement, reflecting a Bring Your Own Vulnerable Driver (BYOVD) approach that leverages signing trust without behavioral review. Mitigations include enabling Hypervisor-Protected Code Integrity (HVCI), enforcing WDAC policies, applying driver block rules, and using behavioral detection (Sysmon Event ID 6, Code Integrity logs) alongside offline backups to recover from such incidents.