RSAC If Rapid7’s Christiaan Beek decided to change careers and become a ransomware criminal, he knows exactly how he’d innovate: CPU ransomware.

The senior director of  threat analytics for the cybersecurity company got the idea from a bad bug in AMD Zen chips that, if exploited by highly skilled attackers, would allow those intruders to load unapproved microcode into the processors, breaking encryption at the hardware level and modifying CPU behavior at will.

Typically, only chip manufacturers can provide the correct microcode for their CPUs, which they might do to improve performance or fix holes. While it’s difficult for outsiders to figure out how to write new microcode, it’s not impossible – in the case of the AMD bug, Google demonstrated it could inject microcode to make the chip always choose the number 4 when asked for a random number.

“Coming from a background in firmware security, I was like, woah, I think I can write some CPU ransomware,” Beek told The Register. 

Spoiler alert: Beek followed through and wrote proof-of-concept code for ransomware that hides in the computer’s processor. “Of course, we won’t release that, but it’s fascinating, right?”

This, according to Beek, is the worst-case scenario. “Ransomware at the CPU level, microcode alteration, and if you are in the CPU or the firmware, you will bypass every freaking traditional technology we have out there.”

It’s not an entirely theoretical risk, though honestly very slim right now. There are some indications that criminals are moving toward this end goal, from the UEFI bootkits that go back to 2018 and are now sold on cyber-crime forums to allow miscreants to bypass Secure Boot and embed malware into the firmware, surviving operating system reboots.

More recently, the 2022 Conti leaks indicated that the ransomware gang’s developers were working on firmware ransomware. Beek included some quotes from the Conti chat logs in his RSAC presentation:

While Beek says he hasn’t yet found a working malware sample in the wild, “if they worked on it a few years ago, you can bet some of them will get smart enough at some point and start creating this stuff.”

Beek knows it’s possible because he’s already done it himself. 

“We should not be talking about ransomware in 2025 — and that fault falls on everyone: the vendors, the end users, cyber insurers,” Beek told The Register. 

“Twelve years later, we’re still fighting the battle,” he said. “While we’re still seeing a lot of technological evolution, everybody’s shouting agentic, AI, ML. And if we’re bloody honest, we still haven’t fixed our foundations.”

How attackers break in “is not rocket science,” he added. “What I’m seeing with a lot of ransomware breaches: it’s a high-risk vulnerability, or a weak password, or we haven’t deployed multi-factor authentication, or it’s wrongly deployed. That is frustrating.” 

What should organizations do? Beek urges everyone to focus on cybersecurity basics. “We spend a lot of our time and money as an industry on innovation,” he said. “But at the same time, our cyber hygiene is not improving.” ®