Evolution of a Ransomware Family
The GodDamn ransomware represents the third major rebranding of a threat lineage that began with Monster in 2022. Originally written in Delphi and targeting 32-bit Windows systems, the ransomware operated as a service for affiliates. In June 2024, the group behind it rebranded as Beast, expanding to Linux and VMware ESXi environments while improving encryption methods. By 2025, Beast attacks incorporated tools like Gmer rootkit scanner, Defender Control, and IObit Unlocker. GodDamn continues this pattern, sometimes appending the .God8Damn extension to encrypted files, though in one investigated case it used the victim organization’s name instead.
PoisonX Driver and Attack Methodology
The most significant addition in GodDamn attacks is the PoisonX kernel driver, which carries a legitimate Microsoft signature despite its malicious purpose. Unlike typical bring-your-own-vulnerable-driver techniques, PoisonX appears custom-built to terminate security processes at the kernel level. In a documented intrusion, attackers dropped the driver alongside a fake symantec.exe file designed to impersonate a trusted security product while disabling Windows Defender’s real-time monitoring. They then used PsExec for lateral movement, installed AnyDesk on multiple hosts for persistent access, and deployed the ransomware. The four day gap between initial access and encryption suggests the group conducted reconnaissance and credential harvesting before activating the payload.
Source: Cyber Security News
