Ransomware can now run directly on the CPU, researcher warns

Alfonso Maruccia

Posts: 2,570   +956
Staff
Bottom line: Chipmakers typically use microcode updates to fix bugs and improve CPU reliability. However, this low-level layer between hardware and machine code can also serve as a stealthy attack vector – capable of hiding malicious payloads from all software-based defenses. As threats evolve, even the deepest layers of a system can no longer be assumed safe.

A security researcher designed a way to "weaponize" microcode updates to install ransomware directly onto the CPU. Rapid7 analyst Christiaan Beek drew inspiration from a critical flaw in AMD's Zen processors, discovered by Google researchers earlier this year. The flaw could allow attackers to modify the RDRAND instruction and inject a custom microcode that always selects "4" when generating a random number.

Microcode updates should theoretically be exclusive to CPU manufacturers, ensuring the correct update installs only on compatible processors. While injecting a custom microcode is difficult, it is not impossible, as the RDRAND flaw demonstrates. Using his knowledge of firmware security, Beek set out to write a CPU-level ransomware.

The Register notes that the security expert developed a proof-of-concept (PoC) that hides a ransomware payload inside the processor. He described the breakthrough as "fascinating," though he has no plans to release any documentation or code from the PoC. Cybercriminals could bypass all traditional security technologies after compromising the CPU or motherboard firmware using Beek's method.

Beek emphasized that extremely low-level ransomware threats aren't just theoretical. The infamous BlackLotus bootkit, for example, can compromise UEFI firmware and infect systems protected by Secure Boot. He also quoted snippets from the Conti ransomware group chat log 2022 breach. Conti developers were reportedly working on a PoC to install ransomware directly into UEFI firmware.

"If we modify the UEFI firmware, we can trigger encryption before the OS loads. No AV can detect this," the cybercriminals stated.

With the right exploit, they could abuse vulnerable UEFI releases that allowed unsigned updates to carry out the covert ransomware installation.

If a few capable black hat hackers had been exploring this kind of threat years ago, Beek said, the most skilled among them would have eventually succeeded. He criticized the IT industry for chasing trends instead of fixing core problems. While corporations focus on agentic AI, machine learning, and chatbots, fundamental security remains neglected. Ransomware gangs rake in billions annually through weak passwords, high-risk vulnerabilities, and poor multi-factor authentication.

Permalink to story:

 
Anything that can be patched can be maliciously patched. Anything that can be accessed can be malicously accessed.

And yet here we are, propping up these towers of garbage, sacrificing security, privacy, and cash just to make sure Betty can keep using Excel in our greedy new always-online, software defined world where you can pay a vendor the cost of a new home annually just to access an environment you have no control over.
 
What makes this so concerning isn’t just the technical novelty—it’s how invisible it would be to every traditional security layer. Antivirus, OS-level protections, even most forensics tools wouldn’t catch it. It flips the script on everything defenders are used to dealing with.
 
Ransomware gangs rake in billions annually through weak passwords, high-risk vulnerabilities, and poor multi-factor authentication.
I'd say even more importantly, through organizations that did not have adequate backup and recovery plans; that are willing to pay cash that fund future attacks against them and others; that are willing to keep the transaction quiet from having more pride than sense; through tolerance and mainstreaming of digital currencies that make these payments possible; and from lackluster response from authorities especially against those that are state actors or sponsored.

By the time a "gang" is crossing the billion dollar mark, I vote we hand the matter over to the military no matter where they may be located. We will never close every loophole but we can significantly change the risk/reward ratio.
 
WHAT.

THE.

F!!K!!?

Are we really watching tech insiders intentionally wreak havoc on the tech industry? Rewritable firmware and the disastrous UEFI standard have already opened the door to hardware-level man-in-the-middle attacks.

Now, companies are paying individuals to deliberately disable software and hardware protections and then freely share these exploits—especially if they’re not rewarded promptly. Our current security measures have proven nearly useless, unable to detect or fix the latest hardware vulnerabilities that anyone can easily exploit.

Even when vulnerabilities are discovered, patches take so long—or never come at all—that users remain unaware of the risks they face. Imagine if there were an app from Apple, Google, or Windows that alerted you to security threats and offered practical steps to protect your device. Clearly, that simple solution isn’t welcome, as it would expose just how fragile our security truly is.

This situation is like hiring buccaneers to attack your ships, relying on the hope that you’ll eventually outsmart them and reclaim control. And instead of using advanced, in-house computation to secure our code, we’re settling for chatbots to merely proofread and format text.

Will hardware and computer security ever recover, or are we inexorably sliding toward a dystopian future?

(*BIG BIG GRIN* Proofed and formatted courtesy of Microsoft Copilot!) :eek:) The 'WHAT THE..' bit at the beginning was all me however. Also, I think my original version was much better tbh. (Ah heck, I'll repost
my original intended posting also, just because...

*PRE-COPILOT POST*:

WHAT. THE. F!!K!!? Are these techhead *****S *trying* to destroy the tech industry?? Things were bad enough with all this rewritable firmware in most hardware and the unmitigated covert disaster the UEFI standard has been for PCs making MITMing what shouldn't be MITMable possible, AT THE HARDWARE LEVEL NO LESS!

Now everyone is PAYING these cretins to intentionally break the protections on their software/hardware and to share their exploits with anyone (Which they'll readily do if they aren't paid a finder's fee in a timely manner) Software protections are already pretty much useless now and they've proven that they aren't up to finding & fixing the current and emerging hardware exploits that are readily available 'in scriptable form!' for anyone.

And even when they're found, it takes them ages to patch them; often times they aren't patched at all and the user is left using exploitable hardware - all-unknowing. I mean, something as simple as having an Apple, Google or Windows app on the device that alerts you to current threats/security updates for your device and what you should and shouldn't do to fix or mitigate the problem! Oh...well, no that wouldn't fly probably. Then everyone would truly know what a farce security is nowadays when they see just how exposed their devices are.

I mean, geez! this is like PAYING buccaneers to pillage your ships in the hopes that you'll outwit them at some point in the future and finally make a profit!

Instead of using E.C. (Come on, it's 'E'ntrained 'C'omputation, let's be real, If anything this shows how inept today's technology is of being able to produce anything remotely like true A.I. GEEZ, the power it eats is outrageous!) to proof code for known and possible exploits in-house we get chat-bots to proof and format written text.

Will hardware/computer security ever be the same again or is this just more of the slow inexorable slide into some future dystopian society?
 
Back