{"id":287978,"date":"2026-07-10T09:00:00","date_gmt":"2026-07-10T13:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/10\/new-ransomware-exploits-malicious-driver-to-remove-security-protection\/"},"modified":"2026-07-10T10:50:17","modified_gmt":"2026-07-10T14:50:17","slug":"new-ransomware-exploits-malicious-driver-to-remove-security-protection","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/10\/new-ransomware-exploits-malicious-driver-to-remove-security-protection\/","title":{"rendered":"New Ransomware Exploits Malicious Driver to Remove Security Protection"},"content":{"rendered":"<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/ransomware-removes-cybersecurity\/\">New Ransomware Exploits Malicious Driver to Remove Security Protection<\/a><\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/ransomware-removes-cybersecurity\/\">https:\/\/www.infosecurity-magazine.com\/news\/ransomware-removes-cybersecurity\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-10 09:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.infosecurity-magazine.com\">www.infosecurity-magazine.com<\/a><\/p>\n<p>The latest incarnation of a family of ransomware which has been hitting organizations since 2022 has evolved to exploit Microsoft-signed malicious drivers to prevent endpoint defenses from detecting and disrupting its attacks.<\/p>\n<p>Detailed by cybersecurity researchers at Symantec, GodDamn ransomware first appeared in May 2026 and analysis of the code revealed that it is the newest iteration of Beast ransomware, itself is a rebrand of Monster ransomware which was first seen in 2022. All three forms of ransomware are part of a family which has been dubbed Hyadina.<\/p>\n<p>In a blog post published on July 9, Symantec researchers said the attackers were spotted leveraging AnyDesk, a remote desktop application, which was hidden on the affected endpoint in a folder named \u2018Music\u2019 and made outbound connections to unknown IP addresses.<\/p>\n<p>Researchers said it is unknown how the attackers gained initial access to the machine prior to this, but account compromise is a common starting point for ransomware attacks.<\/p>\n<p>From here, the attackers used an executable file disguised as a Symantec product to drop PoisonX, a malicious kernel driver which carries a legitimate Microsoft Windows Hardware Compatibility Publisher signature into the system driver store and is used to terminate security product processes, further lowering the defenses of the system.<\/p>\n<p>Read More: Why Ransomware Remains One of Cybersecurity\u2019s Most Persistent and Costly Threats<\/p>\n<p>It is not known how the signature was attained, but common methods of achieving this include usen stolen corporate identities to sign off the driver, or by attackers secretly exploiting legitimate third-party drivers.<\/p>\n<p>With the defenses lowered, the attackers installed tools including NirSoft and Mimikatz, which are used to steal credentials, cookies, live network traffic and more, with the aim of finding means to gain further control over the machine and the wider network, including administrator accounts.<\/p>\n<p>Finally, when enough control over&#8230;<\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/ransomware-removes-cybersecurity\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New Ransomware Exploits Malicious Driver to Remove Security Protection https:\/\/www.infosecurity-magazine.com\/news\/ransomware-removes-cybersecurity\/ Publish Date: 2026-07-10 09:00:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":287979,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/assets.infosecurity-magazine.com\/webpage\/og\/442f29f2-e97f-44cd-a26c-9e1a9cd314b9.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31],"class_list":["post-287978","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/287978"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=287978"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/287978\/revisions"}],"predecessor-version":[{"id":287980,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/287978\/revisions\/287980"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/287979"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=287978"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=287978"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=287978"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}