.png){kind=logo}
A cybersecurity researcher has successfully developed a proof-of-concept for CPU ransomware that infects processors at the hardware level. Instead of infecting software, this attack exploits CPU microcode to bypass all standard software defensive measures. This type of malware infection can persist even after storage, memory chips, or motherboard replacements, demonstrating a true and effective evolution in the sophistication of cyber threats.
The Met ransomware concept received inspiration from a vulnerability in AMD's Zen architecture. Security director Christiaan Beek, at Rapid7, explained that the epic ransomware loads malicious microcode into the CPU directly. Microcode usually needs to be updated by manufacturers, such as AMD and Intel, but now, threats can utilize it to deliver ransomware through an undetectable vector. Beek called it the “worst-case scenario,” in which the standard protections of cybersecurity become ineffective.
Hardware ransomware, unlike the software-based malware we are familiar with, is done at the processor level. Antivirus software, operating systems, and firmware defenses cannot stop the threat at this point. A new hardware infection from ransomware does not allow resetting the device back to normal with formatting or physical component changes.
CosmicStrand UEFI rootkit and others may have hinted at possibilities near CPU-based threats previously, but none had shown the ability to infect CPU hardware before as a ransomware version.
The CPU ransomware uses earlier people's research to draw from, as Google has announced in the past that microcode modifications are possible. This means the work being done via firmware-level exploits, such as UEFI rootkits, is being expanded. Individuals in the industry have speculated on these types of attacks for years.
Not to mention the leaked chats from a Russian ransomware group in 2022 mentioned they were trying to exploit firmware similarly; without any evidence of them achieving a successful operation until now, we have that evidence.
This establishes that ransomware is developing beyond software. The utility of CPU malware attacks compels the entire cybersecurity community to question where their hardware trust ends. The implication for hardware-level persistence is that undetectable threats may exist beyond the normal process of upgrading systems if they have already compromised the hardware.
Chip makers and cybersecurity need to work together immediately to close these gaps before any real-world attacks can take place.
