Rapid7 researcher develops proof-of-concept ransomware targeting CPUs directly
Chrstiaan Beek, Senior Director of Threat Analytics at Rapid7, has created a working proof-of-concept ransomware that operates at the CPU level — bypassing nearly all traditional ransomware defenses. His research highlights how future attacks could encrypt drives or alter system behavior from deep within the processor itself, making detection and removal extremely difficult.
In an interview with The Register , Beek explained how a flaw in AMD’s Zen architecture sparked his idea. He noted that a highly skilled attacker could exploit the vulnerability to inject unauthorized microcode into processors — potentially breaking hardware-level encryption and altering CPU operations remotely.
Google’s security team previously discovered a vulnerability in AMD Zen 1 through Zen 4 processors that allowed unsigned microcode patches to be loaded. Later reports confirmed that even the newer Zen 5 CPUs are also affected. Fortunately, the issue can be mitigated through updated microcode — similar to how Intel addressed instability issues in its Raptor Lake chips.
But for Beek, the discovery was a starting point: “Coming from a firmware security background, I thought, ‘Wow, I think I can write some CPU-level ransomware.’” And he did just that.
According to reports, Chrstiaan Beek has successfully developed a working prototype of ransomware capable of embedding itself within a CPU. While he confirmed that the code will not be made public, his findings raise serious concerns about future threats that could operate beyond the reach of current security tools.
Beek warned that such an attack could represent a worst-case scenario: “Ransomware at the CPU level, altering microcode — and if you’re inside the CPU or firmware, you’ll bypass every freaking traditional security technology we have out there.”
He also pointed to leaked communications from the now-notorious Conti ransomware group, originally exposed in 2022. During a presentation at RSAC, Beek referenced internal chat logs in which one hacker claimed to be developing a PoC for ransomware embedded directly into UEFI firmware. One message read: “I am working on a PoC where the ransomware installs itself inside UEFI, so even after reinstalling Windows, the encryption remains active.”
Another Conti member added: “With modified UEFI firmware, we can trigger encryption before the operating system even starts. No antivirus can detect this.”
The implications are alarming: “Imagine if we control the BIOS and load our own bootloader that locks the drive until the ransom is paid,” one attacker reportedly speculated.