Ransomware Used Microsoft-Signed Malicious Driver to Kill EDR: 10 Hosts Hit Before Encryption
Key Points:
- The GodDamn ransomware group, active since 2022 and tracked as Hyadina, has developed a new kernel-level attack tool called PoisonX, a Microsoft-signed driver designed specifically to disable endpoint security software by operating at the highest privilege level (Ring 0), rendering user-mode security tools powerless.
- PoisonX removes kernel callbacks that endpoint detection and response (EDR) tools rely on, effectively blinding them without triggering alerts, allowing attackers to disable defenses across multiple machines before encryption begins.
- Microsoft's driver signing program verifies publisher identity but does not assess driver behavior, enabling PoisonX’s author to obtain a legitimate signature by misrepresenting the driver as a research tool, exposing a structural vulnerability in the driver trust model.
- The attack analyzed by Symantec unfolded over several days in mid-2026, involving credential harvesting, lateral movement using AnyDesk remote access, and deployment of PoisonX across at least 10 hosts before deploying ransomware, demonstrating a sophisticated, multi-stage intrusion.
- To mitigate such attacks, organizations should enable Hypervisor-Protected Code Integrity (HVCI) to enforce code integrity below kernel level, apply Windows Defender Application Control (WDAC) policies to block unauthorized drivers, monitor driver installation events for anomalies, and maintain air-gapped backups as a final defense.