HybridPetya Ransomware Can Bypass UEFI Secure Boot
ESET researchers have uncovered a new strain of ransomware, dubbed HybridPetya, capable of bypassing UEFI Secure Boot protections to install a malicious application in the EFI system partition. The malware appears to take inspiration from the destructive Petya/NotPetya campaigns of 2016–2017, which crippled systems by encrypting data with no possibility of recovery.
Discovery and Initial Assessment
A sample of HybridPetya was first uploaded to VirusTotal. Researchers note that the malware could be a research project, a proof-of-concept, or an early-stage tool still in limited testing.
Even so, HybridPetya already functions as a UEFI bootkit with Secure Boot bypass capabilities, placing it in the same threat category as BlackLotus, BootKitty, and the Hyper-V Backdoor.
Technical Characteristics
HybridPetya mimics both Petya and NotPetya, borrowing their visual style and attack flow while introducing new capabilities. Most notably, it installs itself in the EFI system partition and bypasses Secure Boot by exploiting CVE-2024-7344.
- CVE-2024-7344 was discovered by ESET analysts in early 2025.
- The flaw involves a Microsoft-signed UEFI application that can be abused to load bootkits, despite Secure Boot being enabled.
- Several third-party system recovery tools rely on this vulnerable application.
- Microsoft patched the vulnerability in January 2025; therefore, systems with up-to-date patches should be protected.
When executed, HybridPetya checks if the host uses UEFI with a GPT partition layout. If so, it plants a bootkit consisting of:
- Configuration and validation files
- A modified bootloader
- A backup UEFI bootloader
- An exploit payload container
- A status file tracking encryption progress
Importantly, the malware preserves the original Windows bootloader, likely to allow recovery if the victim pays the ransom.
Attack Flow
After installation, HybridPetya triggers a fake Blue Screen of Death (BSOD)—similar to Petya—and forces a reboot. On restart, the bootkit executes.
- It encrypts all Master File Table (MFT) clusters using a Salsa20 key and a nonce from the configuration file.
- While encrypting, it displays a fake CHKDSK screen, mimicking NotPetya.
- Once encryption completes, the system reboots again and displays a ransom note demanding $1,000 in Bitcoin.
If the ransom is paid, victims are instructed to enter a 32-character key. Doing so restores the original bootloader, decrypts the encrypted clusters, and prompts a system restart.
As of now, the attackers’ Bitcoin wallet remains empty, though between February and May 2025 it recorded small incoming transfers totaling $183.32.
Current Status and Warnings
While HybridPetya has not yet been detected in real-world attacks, researchers caution that it could quickly transition from proof-of-concept to active use in campaigns against unpatched Windows systems.
Indicators of Compromise (IOCs) for HybridPetya have already been published on GitHub.
