Cybersecurity researchers have discovered a new ransomware strain dubbed HybridPetya that resembles the notorious Petya/NotPetya malware, while also incorporating the ability to bypass the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems using a now-patched vulnerability disclosed earlier this year.
Slovakian cybersecurity company ESET said the samples were uploaded to the VirusTotal platform in February 2025.
“HybridPetya encrypts the Master File Table, which contains important metadata about all the files on NTFS-formatted partitions,” security researcher Martin Smolár said. “Unlike the original Petya/NotPetya, HybridPetya can compromise modern UEFI-based systems by installing a malicious EFI application onto the EFI System Partition.”
In other words, the deployed UEFI application is the central component that takes care of encrypting the Master File Table (MFT) file, which contains metadata related to all the files on the NTFS-formatted partition.
HybridPetya comes with two main components: a bootkit and an installer, with the former appearing in two distinct versions. The bootkit, which is deployed by the installer, is chiefly responsible for loading its configuration and checking its encryption status. It can have three different values –
- 0 – ready for encryption
- 1 – already encrypted, and
- 2 – ransom paid, disk decrypted
Should the value be set to 0, it proceeds to set the flag to 1 and encrypts the EFIMicrosoftBootverify file with the Salsa20 encryption algorithm using the key and nonce specified in the configuration. It also creates a file called “EFIMicrosoftBootcounter” on the EFI System Partition prior to launching the disk encryption process of all NTFS-formatted partitions. The file is used to keep track of the already encrypted disk clusters.
Furthermore, the bootkit updates the fake CHKDSK message displayed on the victim’s screen with information about the current encryption status, while the victim is deceived into thinking that the system is repairing disk errors.
If the bootkit detects that the disk is already encrypted (i.e., the flag is set to 1), it serves a ransom note to the victim, demanding them to send $1,000 in Bitcoin to the specified wallet address (34UNkKSGZZvf5AYbjkUa2yYYzw89ZLWxu2). The wallet is currently empty, although it has received $183.32 between February and May 2025.
The ransom note screen also provides an option for the victim to enter the deception key purchased from the operator after making the payment, following which the bootkit verifies the key and attempts to decrypt the “EFIMicrosoftBootverify” file. In the event the correct key is entered, the flag value is set to 2 and kicks off the decryption step by reading the contents of the “EFIMicrosoftBootcounter” file.
“The decryption stops when the number of decrypted clusters is equal to the value from the counter file,” Smolár said. “During the process of MFT decryption, the bootkit shows the current decryption process status.”
The decryption phase also involves the bootkit recovering the legitimate bootloaders — “EFIBootbootx64.efi” and “EFIMicrosoftBootbootmgfw.efi” — from the backups previously created during the installation process. Once this step is complete, the victim is prompted to reboot their Windows machine.
It’s worth noting that bootloader changes initiated by the installer during the deployment of the UEFI bootkit component triggers a system crash (aka Blue Screen of Death or BSoD) and ensures that the bootkit binary is executed once the device is turned on.
Select variants of HybridPetya, ESET added, have been found to exploit CVE‑2024‑7344 (CVSS score: 6.7), a remote code execution vulnerability in the Howyar Reloader UEFI application (“reloader.efi”, renamed in the artifact as “EFIMicrosoftBootbootmgfw.efi”) that could result in a Secure Boot bypass.
The variant also packs in a specially crafted file named “cloak.dat,” which is loadable through reloader.efi and contains the XORed bootkit binary. Microsoft has since revoked the old, vulnerable binary as part of its Patch Tuesday update for January 2025 update.
“When the reloader.efi binary (deployed as bootmgfw.efi) is executed during boot, it searches for the presence of the cloak.dat file on the EFI System Partition, and loads the embedded UEFI application from the file in a very unsafe way, completely ignoring any integrity checks, thus bypassing UEFI Secure Boot,” ESET said.
Another aspect where HybridPetya and NotPetya differ is that, unlike the latter’s destructive capabilities, the newly identified artifact allows the threat actors to reconstruct the decryption key from the victim’s personal installation keys.
Telemetry data from ESET indicates no evidence of HybridPetya being used in the wild. The cybersecurity company also pointed out the recent discovery of a UEFI Petya Proof-of-Concept (PoC) by security researcher Aleksandra “Hasherezade” Doniec, adding it’s possible there could be “some relationship between the two cases.” However, it doesn’t rule out the possibility that HybridPetya may also be a PoC.
“HybridPetya is now at least the fourth publicly known example of a real or proof-of-concept UEFI bootkit with UEFI Secure Boot bypass functionality, joining BlackLotus (exploiting CVE‑2022‑21894), BootKitty (exploiting LogoFail), and the Hyper-V Backdoor PoC (exploiting CVE‑2020‑26200),” ESET said.
“This shows that Secure Boot bypasses are not just possible – they’re becoming more common and attractive to both researchers and attackers.”
About The Author
Original post here
