Bottom line: Chipmakers typically use microcode updates to fix bugs and improve CPU reliability. However, this low-level layer between hardware and machine code can also serve as a stealthy attack vector – capable of hiding malicious payloads from all software-based defenses. As threats evolve, even the deepest layers of a system can no longer be assumed safe.
A security researcher designed a way to "weaponize" microcode updates to install ransomware directly onto the CPU. Rapid7 analyst Christiaan Beek drew inspiration from a critical flaw in AMD's Zen processors, discovered by Google researchers earlier this year. The flaw could allow attackers to modify the RDRAND instruction and inject a custom microcode that always selects "4" when generating a random number.
Microcode updates should theoretically be exclusive to CPU manufacturers, ensuring the correct update installs only on compatible processors. While injecting a custom microcode is difficult, it is not impossible, as the RDRAND flaw demonstrates. Using his knowledge of firmware security, Beek set out to write a CPU-level ransomware.
The Register notes that the security expert developed a proof-of-concept (PoC) that hides a ransomware payload inside the processor. He described the breakthrough as "fascinating," though he has no plans to release any documentation or code from the PoC. Cybercriminals could bypass all traditional security technologies after compromising the CPU or motherboard firmware using Beek's method.
Beek emphasized that extremely low-level ransomware threats aren't just theoretical. The infamous BlackLotus bootkit, for example, can compromise UEFI firmware and infect systems protected by Secure Boot. He also quoted snippets from the Conti ransomware group chat log 2022 breach. Conti developers were reportedly working on a PoC to install ransomware directly into UEFI firmware.
"If we modify the UEFI firmware, we can trigger encryption before the OS loads. No AV can detect this," the cybercriminals stated.
With the right exploit, they could abuse vulnerable UEFI releases that allowed unsigned updates to carry out the covert ransomware installation.
If a few capable black hat hackers had been exploring this kind of threat years ago, Beek said, the most skilled among them would have eventually succeeded. He criticized the IT industry for chasing trends instead of fixing core problems. While corporations focus on agentic AI, machine learning, and chatbots, fundamental security remains neglected. Ransomware gangs rake in billions annually through weak passwords, high-risk vulnerabilities, and poor multi-factor authentication.
Ransomware can now run directly on the CPU, researcher warns
