New 'GodDamn' Ransomware Uses a Rogue Driver to Kill Antivirus Software
Symantec links the May 2026 strain to the older Beast ransomware family, with medium confidence it's a rebrand.

Key points
- Symantec's Threat Hunter Team first observed the GodDamn ransomware in the wild on May 21, 2026.
- The malware ships with a Windows kernel driver called PoisonX that shuts down antivirus and endpoint security tools before the files get locked.
- Symantec assesses GodDamn to be a rebrand of the earlier Beast ransomware family.
- The attack pattern lines up with a wider trend of criminal groups abusing signed or vulnerable drivers to blind defenders.
Security researchers have flagged a new strain of ransomware, malicious software that locks a company's files and demands payment to unlock them, going by the name GodDamn.
The malware carries a tool called PoisonX. This is a kernel driver, meaning a piece of software that runs at the deepest, most trusted level of Windows. From there it can reach up and switch off the very security products meant to catch it.
Symantec's Threat Hunter Team says it first saw the ransomware in the wild on May 21, 2026. The team, which reports its findings publicly, assesses with medium confidence that GodDamn is a rebrand of an older ransomware family known as Beast.
The original reporting on the family was published by The Hacker News.
What does this actually mean for a normal business?
It means that if GodDamn lands on a company's network, the antivirus on those machines may go quiet right before the files are scrambled. Staff and IT teams often only notice something is wrong when computers start showing ransom notes.
The technique itself is not new. Criminal crews have spent the last two years buying, stealing, or crafting kernel drivers specifically to disable endpoint detection and response tools (EDR), which are the modern replacements for traditional antivirus. Analysts often refer to this class of tool as an "EDR killer".
What is notable here is the pairing. GodDamn appears to be a ready-made kit: the file-locking payload plus PoisonX bundled together. That lowers the skill needed to pull off an attack.
Who is behind it?
Attribution is thin at this stage, and worth flagging honestly.
Symantec's link to Beast is based on code and behaviour overlaps, not on a named group or country. There is no public indication that this is the work of a nation-state crew such as Sandworm or a known ransomware-as-a-service brand. Treat any confident naming you see elsewhere with caution until a second vendor corroborates it.
Beast itself was a criminal, financially motivated operation, so a rebrand fits that same profile. Capability (a working driver-based defence killer) is not the same as intent (who gets targeted, and why).
How does the driver trick work?
Windows will only load kernel drivers that are digitally signed, essentially stamped as trustworthy by a recognised software publisher. Criminals get around this in two ways.
Some groups steal or buy legitimate signing certificates. Others use "bring your own vulnerable driver", where they load a real, signed driver that happens to have a known flaw, then abuse that flaw to get their own code running with kernel privileges.
Symantec has not yet published the full technical breakdown of which route PoisonX takes. That detail matters, because it changes what defenders should block.
What should ordinary people watch for?
If you're a customer of a company that gets hit, you may see service outages, delays in getting records, or, later, a breach notification letter telling you what data was taken. Follow the instructions in any official letter, and be wary of unexpected emails or calls claiming to be from the affected company in the weeks after. Criminals often use the confusion around a public incident to run follow-on scams.
For businesses, the sensible move right now is to check that your security software is configured to alert on new kernel drivers being loaded, and that backups are held offline where ransomware cannot reach them.



