HybridPetya Ransomware Bypasses UEFI Secure Boot
▼ Summary
– ESET researchers discovered HybridPetya, a new malware combining ransomware and bootkit capabilities that mimics the Petya/NotPetya malware.
– HybridPetya can compromise UEFI-based systems and weaponizes CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems.
– Unlike NotPetya, HybridPetya allows operators to reconstruct decryption keys from victims’ installation keys, making it viable as regular ransomware.
– The malware was uploaded from Poland to VirusTotal, and ESET telemetry shows no active use in the wild, suggesting it may be a proof of concept.
– HybridPetya represents the fourth known UEFI bootkit with Secure Boot bypass functionality, indicating these exploits are becoming more common.
A newly identified ransomware threat known as HybridPetya has emerged, combining bootkit capabilities with encryption-based extortion while exploiting a known UEFI Secure Boot vulnerability to compromise modern systems. Security researchers at ESET uncovered the malware, which draws clear inspiration from the notorious Petya and NotPetya campaigns but introduces updated tactics aimed at bypassing firmware-level protections.
The malware sample first appeared in late July 2025, uploaded to VirusTotal from a Polish source under filenames such as notpetyanew.exe. According to ESET researcher Martin Smolár, the naming convention and behavioral traits strongly echo the 2017 NotPetya incident, widely regarded as one of the most damaging cyberattacks in history with losses exceeding $10 billion. Despite these similarities, HybridPetya incorporates several technical distinctions that set it apart.
One notable difference lies in its encryption mechanism. Unlike NotPetya, which used a flawed approach that made decryption nearly impossible, HybridPetya employs a key generation method that allows its operators to reconstruct decryption keys from victims’ installation IDs. This makes it functionally viable as conventional ransomware, much like the original Petya strain.
More alarmingly, HybridPetya demonstrates the ability to target systems using UEFI firmware. It installs a malicious EFI application onto the EFI System Partition, which then proceeds to encrypt the Master File Table (MFT), a critical NTFS metadata repository that catalogs all files on a drive. By tampering with this structure, the malware can effectively paralyze an infected system.
Further analysis revealed that the threat leverages CVE-2024-7344, a UEFI Secure Boot bypass vulnerability disclosed by ESET earlier in 2025. Although the original publication intentionally omitted exploitation details, the malware author appears to have reverse-engineered the flaw to construct a properly formatted cloak.dat file, enabling the bypass.
Despite its sophisticated design, there is no current evidence of HybridPetya being deployed in active attacks. Its presence may represent a proof-of-concept developed either by a security researcher testing defenses or a threat actor refining tools for future use. Importantly, the malware lacks the worm-like propagation features that made NotPetya so explosively contagious.
HybridPetya now stands as at least the fourth publicly documented example of a UEFI bootkit capable of circumventing Secure Boot, joining other notable specimens like BlackLotus, BootKitty, and a Hyper-V backdoor proof-of-concept. This trend underscores a growing interest among both attackers and researchers in undermining firmware security, a concerning development for defenders reliant on Secure Boot as a foundational protection layer.
(Source: HelpNet Security)
