At a glance: GodDamn ransomware disables security software using a Microsoft-signed kernel driver, significantly increasing the risk of successful attacks.
The GodDamn ransomware family employs a Microsoft-signed kernel driver to shut down security solutions on compromised systems. This enables attackers to encrypt and exfiltrate data unimpeded.
GodDamn ransomware uses a Bring-Your-Own-Vulnerable-Driver (BYOVD) technique with a legitimate, Microsoft-signed kernel driver to disable protective software. This renders a common defense measure against malware ineffective: the Windows kernel permits the driver to terminate other processes and security services.
For CISOs, this attack method represents a significant increase in threat risk. Even modern endpoint detection and response (EDR) solutions can be endangered if the attacker has gained administrator privileges and deploys the signed driver to the system. The driver’s legitimacy makes detection considerably more difficult, as traditional reputation-based protective measures will not flag it as suspicious.
Affected organizations should review their privileged access management (PAM) strategies and strengthen multi-factor authentication and segmentation. Additionally, it is recommended to audit kernel driver loading operations and use driver block lists, if this technology is available in your infrastructure.
Source: www.darkreading.com · Published 9 July 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.