Cybersecurity researchers have found a brand new ransomware pressure dubbed HybridPetya that resembles the infamous Petya/NotPetya malware, whereas additionally incorporating the flexibility to bypass the Safe Boot mechanism in Unified Extensible Firmware Interface (UEFI) methods utilizing a now-patched vulnerability disclosed earlier this 12 months.
Slovakian cybersecurity firm ESET stated the samples had been uploaded to the VirusTotal platform in February 2025.
“HybridPetya encrypts the Grasp File Desk, which incorporates vital metadata about all of the information on NTFS-formatted partitions,” safety researcher Martin Smolár stated. “In contrast to the unique Petya/NotPetya, HybridPetya can compromise trendy UEFI-based methods by putting in a malicious EFI software onto the EFI System Partition.”
In different phrases, the deployed UEFI software is the central element that takes care of encrypting the Grasp File Desk (MFT) file, which incorporates metadata associated to all of the information on the NTFS-formatted partition.
HybridPetya comes with two essential elements: a bootkit and an installer, with the previous showing in two distinct variations. The bootkit, which is deployed by the installer, is mainly accountable for loading its configuration and checking its encryption standing. It may have three totally different values –
0 – prepared for encryption
1 – already encrypted, and
2 – ransom paid, disk decrypted
Ought to the worth be set to 0, it proceeds to set the flag to 1 and encrypts the EFIMicrosoftBootverify file with the Salsa20 encryption algorithm utilizing the important thing and nonce specified within the configuration. It additionally creates a file referred to as “EFIMicrosoftBootcounter” on the EFI System Partition previous to launching the disk encryption means of all NTFS-formatted partitions. The file is used to maintain monitor of the already encrypted disk clusters.
Moreover, the bootkit updates the faux CHKDSK message displayed on the sufferer’s display screen with details about the present encryption standing, whereas the sufferer is deceived into pondering that the system is repairing disk errors.
If the bootkit detects that the disk is already encrypted (i.e., the flag is about to 1), it serves a ransom notice to the sufferer, demanding them to ship $1,000 in Bitcoin to the desired pockets tackle (34UNkKSGZZvf5AYbjkUa2yYYzw89ZLWxu2). The pockets is presently empty, though it has obtained $183.32 between February and Could 2025.
The ransom notice display screen additionally offers an choice for the sufferer to enter the deception key bought from the operator after making the fee, following which the bootkit verifies the important thing and makes an attempt to decrypt the “EFIMicrosoftBootverify” file. Within the occasion the right key’s entered, the flag worth is about to 2 and kicks off the decryption step by studying the contents of the “EFIMicrosoftBootcounter” file.
“The decryption stops when the variety of decrypted clusters is the same as the worth from the counter file,” Smolár stated. “Throughout the means of MFT decryption, the bootkit exhibits the present decryption course of standing.”
The decryption part additionally entails the bootkit recovering the reliable bootloaders — “EFIBootbootx64.efi” and “EFIMicrosoftBootbootmgfw.efi” — from the backups beforehand created in the course of the set up course of. As soon as this step is full, the sufferer is prompted to reboot their Home windows machine.
It is price noting that bootloader modifications initiated by the installer in the course of the deployment of the UEFI bootkit element triggers a system crash (aka Blue Display screen of Dying or BSoD) and ensures that the bootkit binary is executed as soon as the machine is turned on.
Choose variants of HybridPetya, ESET added, have been discovered to take advantage of CVE‑2024‑7344 (CVSS rating: 6.7), a distant code execution vulnerability within the Howyar Reloader UEFI software (“reloader.efi”, renamed within the artifact as “EFIMicrosoftBootbootmgfw.efi”) that might lead to a Safe Boot bypass.
The variant additionally packs in a specifically crafted file named “cloak.dat,” which is loadable by means of reloader.efi and incorporates the XORed bootkit binary. Microsoft has since revoked the outdated, weak binary as a part of its Patch Tuesday replace for January 2025 replace.
“When the reloader.efi binary (deployed as bootmgfw.efi) is executed throughout boot, it searches for the presence of the cloak.dat file on the EFI System Partition, and masses the embedded UEFI software from the file in a really unsafe approach, utterly ignoring any integrity checks, thus bypassing UEFI Safe Boot,” ESET stated.
One other side the place HybridPetya and NotPetya differ is that, not like the latter’s harmful capabilities, the newly recognized artifact permits the menace actors to reconstruct the decryption key from the sufferer’s private set up keys.
Telemetry knowledge from ESET signifies no proof of HybridPetya getting used within the wild. The cybersecurity firm additionally identified the latest discovery of a UEFI Petya Proof-of-Idea (PoC) by safety researcher Aleksandra “Hasherezade” Doniec, including it is potential there could possibly be “some relationship between the 2 circumstances.” Nonetheless, it would not rule out the likelihood that HybridPetya can also be a PoC.
“HybridPetya is now a minimum of the fourth publicly identified instance of an actual or proof-of-concept UEFI bootkit with UEFI Safe Boot bypass performance, becoming a member of BlackLotus (exploiting CVE‑2022‑21894), BootKitty (exploiting LogoFail), and the Hyper-V Backdoor PoC (exploiting CVE‑2020‑26200),” ESET stated.
“This exhibits that Safe Boot bypasses will not be simply potential – they’re changing into extra frequent and engaging to each researchers and attackers.”
