Ransomware Groups Now Embedding Persistence in UEFI Firmware

Mandiant’s incident response team identified a new ransomware variant that writes encrypted payloads into UEFI firmware partitions, allowing the malware to survive complete OS reinstallation and even disk replacement on certain hardware. The technique builds on the BlackLotus bootkit but adds a novel firmware-level key escrow mechanism. Organizations relying solely on endpoint detection and OS-level forensics will miss this entirely, requiring firmware integrity verification as a standard IR step.