Cybersecurity researchers have found a brand new ransomware pressure dubbed HybridPetya that resembles the infamous Petya/NotPetya malware, whereas additionally incorporating the power to bypass the Safe Boot mechanism in Unified Extensible Firmware Interface (UEFI) programs utilizing a now-patched vulnerability disclosed earlier this 12 months.
Slovakian cybersecurity firm ESET mentioned the samples had been uploaded to the VirusTotal platform in February 2025.
“HybridPetya encrypts the Grasp File Desk, which incorporates necessary metadata about all of the information on NTFS-formatted partitions,” safety researcher Martin Smolár mentioned. “Not like the unique Petya/NotPetya, HybridPetya can compromise fashionable UEFI-based programs by putting in a malicious EFI software onto the EFI System Partition.”
In different phrases, the deployed UEFI software is the central part that takes care of encrypting the Grasp File Desk (MFT) file, which incorporates metadata associated to all of the information on the NTFS-formatted partition.
HybridPetya comes with two primary parts: a bootkit and an installer, with the previous showing in two distinct variations. The bootkit, which is deployed by the installer, is mainly liable for loading its configuration and checking its encryption standing. It may well have three totally different values –
- 0 – prepared for encryption
- 1 – already encrypted, and
- 2 – ransom paid, disk decrypted
Ought to the worth be set to 0, it proceeds to set the flag to 1 and encrypts the EFIMicrosoftBootverify file with the Salsa20 encryption algorithm utilizing the important thing and nonce specified within the configuration. It additionally creates a file referred to as “EFIMicrosoftBootcounter” on the EFI System Partition previous to launching the disk encryption means of all NTFS-formatted partitions. The file is used to maintain monitor of the already encrypted disk clusters.
Moreover, the bootkit updates the faux CHKDSK message displayed on the sufferer’s display screen with details about the present encryption standing, whereas the sufferer is deceived into pondering that the system is repairing disk errors.
If the bootkit detects that the disk is already encrypted (i.e., the flag is about to 1), it serves a ransom be aware to the sufferer, demanding them to ship $1,000 in Bitcoin to the required pockets deal with (34UNkKSGZZvf5AYbjkUa2yYYzw89ZLWxu2). The pockets is at the moment empty, though it has acquired $183.32 between February and Might 2025.
The ransom be aware display screen additionally supplies an possibility for the sufferer to enter the deception key bought from the operator after making the cost, following which the bootkit verifies the important thing and makes an attempt to decrypt the “EFIMicrosoftBootverify” file. Within the occasion the proper secret is entered, the flag worth is about to 2 and kicks off the decryption step by studying the contents of the “EFIMicrosoftBootcounter” file.
“The decryption stops when the variety of decrypted clusters is the same as the worth from the counter file,” Smolár mentioned. “Through the means of MFT decryption, the bootkit exhibits the present decryption course of standing.”
The decryption section additionally entails the bootkit recovering the official bootloaders — “EFIBootbootx64.efi” and “EFIMicrosoftBootbootmgfw.efi” — from the backups beforehand created in the course of the set up course of. As soon as this step is full, the sufferer is prompted to reboot their Home windows machine.
It is price noting that bootloader modifications initiated by the installer in the course of the deployment of the UEFI bootkit part triggers a system crash (aka Blue Display screen of Demise or BSoD) and ensures that the bootkit binary is executed as soon as the gadget is turned on.
Choose variants of HybridPetya, ESET added, have been discovered to use CVE‑2024‑7344 (CVSS rating: 6.7), a distant code execution vulnerability within the Howyar Reloader UEFI software (“reloader.efi”, renamed within the artifact as “EFIMicrosoftBootbootmgfw.efi”) that would lead to a Safe Boot bypass.
The variant additionally packs in a specifically crafted file named “cloak.dat,” which is loadable by reloader.efi and incorporates the XORed bootkit binary. Microsoft has since revoked the outdated, susceptible binary as a part of its Patch Tuesday replace for January 2025 replace.
“When the reloader.efi binary (deployed as bootmgfw.efi) is executed throughout boot, it searches for the presence of the cloak.dat file on the EFI System Partition, and masses the embedded UEFI software from the file in a really unsafe means, utterly ignoring any integrity checks, thus bypassing UEFI Safe Boot,” ESET mentioned.
One other facet the place HybridPetya and NotPetya differ is that, in contrast to the latter’s harmful capabilities, the newly recognized artifact permits the risk actors to reconstruct the decryption key from the sufferer’s private set up keys.
Telemetry knowledge from ESET signifies no proof of HybridPetya getting used within the wild. The cybersecurity firm additionally identified the current discovery of a UEFI Petya Proof-of-Idea (PoC) by safety researcher Aleksandra “Hasherezade” Doniec, including it is attainable there may very well be “some relationship between the 2 instances.” Nonetheless, it would not rule out the chance that HybridPetya might also be a PoC.
“HybridPetya is now not less than the fourth publicly recognized instance of an actual or proof-of-concept UEFI bootkit with UEFI Safe Boot bypass performance, becoming a member of BlackLotus (exploiting CVE‑2022‑21894), BootKitty (exploiting LogoFail), and the Hyper-V Backdoor PoC (exploiting CVE‑2020‑26200),” ESET mentioned.
“This exhibits that Safe Boot bypasses usually are not simply attainable – they’re changing into extra widespread and engaging to each researchers and attackers.”