In late July 2025, a collection of ransomware samples surfaced on VirusTotal below filenames referencing the infamous Petya and NotPetya assaults.
In contrast to its predecessors, this new menace—dubbed HybridPetya by ESET analysts—exhibited capabilities that prolonged past standard userland execution, immediately focusing on UEFI firmware on weak methods.
Via a specifically crafted cloak.dat archive and the exploitation of CVE-2024-7344, HybridPetya achieves a Safe Boot bypass on outdated platforms, permitting it to put in a malicious EFI utility into the EFI System Partition.
HybridPetya’s emergence marks a major evolution in bootkit design. The malware leverages a dual-component structure: a Home windows-based installer and an EFI bootkit.
Upon deployment, the installer locates the EFI System Partition, backs up official bootloaders, drops a Salsa20-encrypted configuration file (EFIMicrosoftBootconfig), and vegetation an encrypted verification array (EFIMicrosoftBootverify).
Overview of HybridPetya’s execution logic (Supply – Welivesecurity)
A triggered BSOD then forces the system to reload by means of the compromised bootloader, activating the EFI element at subsequent startup.
ESET researchers recognized that HybridPetya helps each legacy and UEFI methods; nonetheless, its true innovation lies in bypassing UEFI Safe Boot through the CVE-2024-7344 vulnerability.
In affected methods missing Microsoft’s January 2025 dbx replace, the malicious reloader.efi utility masquerades as a trusted Microsoft-signed binary.
When executed, it treats the accompanying cloak.dat file as a official payload, loading and executing the XOR-obfuscated EFI bootkit with out signature verification.
Hex-Rays decompiled code for NTFS partition identification (Supply – Welivesecurity)
This system mirrors the exploitation methodology detailed by ESET in earlier advisory studies, albeit weaponized inside a ransomware framework.
As soon as the EFI bootkit positive factors management through the pre-OS part, it reads its configuration and encryption flag.
If the flag is ready to “prepared for encryption,” the bootkit extracts the Salsa20 key and nonce, rewrites the configuration flag, and encrypts the NTFS Grasp File Desk (MFT) on all detected partitions.
Throughout this course of, a misleading CHKDSK-like progress message is exhibited to the sufferer, masking the malicious exercise.
Pretend CHKDSK message proven by HybridPetya throughout disk encryption (Supply – Welivesecurity)
After encryption completes, the system reboots, presenting a NotPetya-style ransom observe.
An infection Mechanism and Persistence
HybridPetya’s an infection mechanism hinges on the interaction between its Home windows installer and UEFI bootkit.
The installer begins by calling the native API NtRaiseHardError to induce a shutdown, guaranteeing the malicious bootloader will execute on restart:-
NtRaiseHardError(STATUS_HOST_DOWN, 0, 0, NULL, OptionShutdownSystem, &Response);
This crash trick ensures that the UEFI element runs below Safe Boot enforcement—or, within the case of outdated methods, bypassed Safe Boot.
Upon reboot, the EFI utility locates EFIMicrosoftBootconfig, examines the encryption flag, and branches into encryption or decryption logic.
For decryption, the sufferer should enter a 32-character key; the EFI bootkit then decrypts the confirm file and, if the plaintext matches a collection of 0x07 bytes, proceeds to revive the MFT and bonafide bootloaders from their .previous backups.
By embedding this persistence immediately into the firmware layer, HybridPetya ensures the ransomware can’t be eliminated by commonplace OS-level remediation instruments, elevating its resilience and framing it as a milestone in firmware-targeted threats.
Enhance your SOC and assist your staff defend your online business with free top-notch menace intelligence: Request TI Lookup Premium Trial.
