A recently discovered ransomware strain called HybridPetya can bypass the UEFI Secure Boot feature to install a malicious application on the EFI System Partition.
Researchers at cybersecurity company ESET found a sample of HybridPetya on VirusTotal. They note that this may be a research project, a proof-of-concept, or an early version of a cybercrime tool still under limited testing.
HybridPetya incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain of these older malware strains.
However, the developer added new things like installation into the EFI System Partition and the ability to bypass Secure Boot by exploiting the CVE-2024-7344 vulnerability.
ESET discovered the flaw in January this year, The issue consists in Microsoft-signed applications that could be exploited to deploy bootkits even with Secure Boot protection active on the target.
Upon launch, HybridPetya determines if the host uses UEFI with GPT partitioning and drops a malicious bootkit into the EFI System partition consisting of several files. These include configuration and validation files, a modified bootloader, a fallback UEFI bootloader, an exploit payload container, and a status file that tracks the encryption progress.
ESET lists the following files used across analyzed variants of HybridPetya:
\EFI\Microsoft\Boot\config (encryption flag + key + nonce + victim ID)
\EFI\Microsoft\Boot\verify (used to validate correct decryption key)
\EFI\Microsoft\Boot\counter (progress tracker for encrypted clusters)
\EFI\Microsoft\Boot\bootmgfw.efi.old (backup of original bootloader)
\EFI\Microsoft\Boot\cloak.dat (contains XORed bootkit in Secure Boot bypass variant)
Also, the malware replaces \EFI\Microsoft\Boot\bootmgfw.efi with the vulnerable ‘reloader.efi,’ and removes \EFI\Boot\bootx64.efi.
The original Windows bootloader is also saved to be activated in the case of successful restoration, meaning that the victim paid the ransom.
Once deployed, HybridPetya triggers a BSOD displaying a bogus error, as Petya did, and forces a system reboot, allowing the malicious bootkit to execute upon system boot.
At this step, the ransomware encrypts all MFT clusters using a Salsa20 key and nonce extracted from the config file while displaying a fake CHKDSK message, like NotPetya.
Once the encryption completes, another reboot is triggered and the victim is served a ransom note during system boot, demanding a Bitcoin payment of $1,000.
Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday, so Windows systems that have applied this or later security updates are protected from HybridPetya.
Yes, it is not new, just the concept is relatively new and can be reutilized by further malware pieces using unpatched expolits in Windows, till the time they are patched.
Yes, it is not new, just the concept is relatively new and can be reutilized by further malware pieces using unpatched expolits in Windows, till the time they are patched.
Unlikely because first the exploit is patched, finding unpatched exploits is not the easiest task and now, behavioural profiles and heuristics are created. This malware is highly successful because majority of actions happen on reboot, before the security solution is active. But the distribution means (email, download, dropper, loader and so on) can be detected effectively.
Further updates to Windows and firmware will render Hybrid Petya code useless.
This malware is a one trick pony — the whole success was due to the now patched vulnerability. More bootloaders will now be added to the revocation list.
Problem is for users and machines that don’t install updates.
