World's first CPU-level ransomware can "bypass every freaking traditional technology we have out there" — new firmware-based attacks could usher in new era of unavoidable ransomware

Rapid7's Chrstiaan Beek has written proof-of-concept code for ransomware that can attack your CPU, and warns of future threats that could lock your drive until a ransom is paid. This attack would circumvent most traditional forms of ransomware detection.

In an interview with The Register, Beek, who is Rapid7's senior director of threat analytics, revealed that an AMD Zen chip bug gave him the idea that a highly skilled attacker could in theory "allow those intruders to load unapproved microcode into the processors, breaking encryption at the hardware level and modifying CPU behavior at will."

Google's Security Team has previously identified a security vulnerability in AMD's Zen 1 to Zen 4 CPUs that allows users to load unsigned microcode patches. It later emerged that AMD Zen 5 CPUs are also affected by the vulnerability. Thankfully, the issue can be fixed with new microcode, just like a previous Raptor Lake instability. However, Beek saw his opportunity. "Coming from a background in firmware security, I was like, woah, I think I can write some CPU ransomware," and that's exactly what he did.

According to the report, Beek has indeed written proof-of-concept code for ransomware that can hide in a CPU. Reassuringly, he promises they won't release it.

As per the report, Beek reckons this type of exploit could lead to a worst case scenario: "Ransomware at the CPU level, microcode alteration, and if you are in the CPU or the firmware, you will bypass every freaking traditional technology we have out there."

Beek also referenced leaked comments from the Conti ransomware gang, which surfaced in 2022. In a presentation given at RSAC, he highlighted chat logs from the group. "I am working on a PoC where the ransomware installs itself inside UEFI, so even after reinstalling Windows, the encryption stays," reads one. Another noted that with modified UEFI firmware, "we can trigger encryption before the OS even loads. No AV can detect this."

The upshot? "Imagine we control the BIOS and load our own bootloader that locks the drive until the ransom is paid," a hacker hypothesized.

Beek warns that if bad actors were working on these exploits a few years ago, "you can bet some of them will get smart enough at some point and start creating this stuff."

To close his interview, Beek expressed his frustration that "We should not be talking about ransomware in 2025," and stated that everyone involved should be pulling together to fix the foundations of hardware security. He also bemoaned how many ransomware breaches were underpinned by high-risk vulnerabilities, weak passwords, lack of authentication, and more.

Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.