A recently identified ransomware variant, HybridPetya, has demonstrated the capability to circumvent the UEFI Secure Boot feature, enabling the installation of malicious applications within the EFI System Partition.
This innovative malware appears to draw inspiration from the notorious Petya and NotPetya strains, which disrupted operations by encrypting files and rendering Windows systems unbootable during the 2016 and 2017 attacks. Unlike its predecessors, HybridPetya lacks a recovery option, further complicating victim restoration efforts.
Cybersecurity researchers from ESET discovered this variant on VirusTotal and suggest that it could represent a research initiative, a proof-of-concept, or an early-stage cybercrime tool undergoing limited testing. Its emergence underscores a persistent threat landscape, comparable to other malicious tools like BlackLotus, BootKitty, and Hyper-V Backdoor. These developments indicate that UEFI bootkits with Secure Bypass capabilities are an increasingly relevant concern.
HybridPetya merges the visual aesthetics and attack methodologies of both Petya and NotPetya, while simultaneously introducing novel features such as installation in the EFI System Partition and the exploitation of the CVE-2024-7344 vulnerability to override Secure Boot protections.
ESET identified this vulnerability in January of this year. It involves Microsoft-signed applications that can be manipulated to deploy bootkits, achieving execution even in environments where Secure Boot is enabled.
Execution Logic
Source: ESET
Upon execution, HybridPetya assesses whether the host device utilizes UEFI with GUID Partition Table (GPT) partitioning. It then deploys a malicious bootkit into the EFI System Partition, encompassing multiple files critical for its operation.
Notably, these components include configuration and validation files, a modified bootloader, a fallback UEFI bootloader, an exploit payload container, and a status file that monitors encryption processes.
ESET outlines the following key files associated with analyzed variants of HybridPetya:
- \EFI\Microsoft\Boot\config (contains encryption flag, key, nonce, and victim ID)
- \EFI\Microsoft\Boot\verify (used for validating the decryption key)
- \EFI\Microsoft\Boot\counter (tracks the progress of encrypted clusters)
- \EFI\Microsoft\Boot\bootmgfw.efi.old (backup of the original bootloader)
- \EFI\Microsoft\Boot\cloak.dat (houses an XORed bootkit in the Secure Boot bypass variant)
The malware also alters \EFI\Microsoft\Boot\bootmgfw.efi, replacing it with the compromised ‘reloader.efi’ and removing \EFI\Boot\bootx64.efi.
Furthermore, the original Windows bootloader is preserved to facilitate recovery if the ransom is paid.
Once installed, HybridPetya triggers a Blue Screen of Death (BSOD) that reveals a fabricated error message, akin to its predecessors, forcing the system to reboot and allowing the malicious bootkit to execute during system startup.
In this phase, the ransomware encrypts all Master File Table (MFT) clusters using a Salsa20 key and nonce derived from the configuration file, while displaying a misleading CHKDSK message reminiscent of NotPetya.
Fake CHKDSK Message
Source: ESET
Upon completion of the encryption, the system undergoes another reboot, at which point victims are confronted with a ransomware note during boot, demanding a payment of $1,000 in Bitcoin.
HybridPetya’s Ransom Note
Source: ESET
In exchange for the ransom, victims receive a 32-character decryption key to restore the original bootloader, reverse the encryption, and prompt a user reboot.
While HybridPetya has not yet been documented in operational attack scenarios, it serves as a cautionary example of how proof-of-concept tools can evolve into significant threats targeting unpatched Windows systems.
Indicators of compromise (IOCs) for defending against HybridPetya are accessible within a GitHub repository. Importantly, Microsoft addressed CVE-2024-7344 in the January 2025 Patch Tuesday release, ensuring that systems updated with this patch or subsequent updates are fortified against HybridPetya.
A proactive approach to ransomware prevention includes maintaining offline backups of critical data, facilitating seamless system restoration in the event of an incident.