Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

New HybridPetya Ransomware: Bypassing UEFI Secure Boot to Encrypt Computers


New HybridPetya ransomware can bypass UEFI Secure Boot to encrypt computers

  • HybridPetya ransomware can bypass UEFI Secure Boot by exploiting a previously unpatched vulnerability in Microsoft's operating system (CVE-2024-7344).
  • The new ransomware strain incorporates characteristics from both Petya and NotPetya, including visual style and attack chain.
  • HybridPetya can drop a malicious bootkit into the EFI System partition, allowing it to encrypt computers and prevent Windows from booting.
  • The ransomware replaces the original bootloader with a vulnerable 'reloader.efi' file, and removes the original Windows bootloader to be activated in case of successful restoration.
  • HybridPetya triggers a BSOD displaying a bogus error, forces a system reboot, and encrypts all MFT clusters using a Salsa20 key and nonce extracted from the config file.
  • The ransomware demands a Bitcoin payment of $1,000 in exchange for a 32-character key to restore the original bootloader and decrypt the clusters.



    • New HybridPetya ransomware can bypass UEFI Secure Boot, a recent ransomware strain that has been making headlines in the cybersecurity world, appears inspired by the destructive Petya/NotPetya malware that encrypted computers and prevented Windows from booting in attacks in 2016 and 2017. However, unlike its predecessors, HybridPetya incorporates new features such as installation into the EFI System Partition and the ability to bypass Secure Boot by exploiting a previously unpatched vulnerability in Microsoft's operating system.

    According to cybersecurity company ESET, researchers discovered a sample of HybridPetya on VirusTotal. The company notes that this may be a research project, a proof-of-concept, or an early version of a cybercrime tool still under limited testing. However, the presence of HybridPetya is yet another example of the growing threat posed by UEFI bootkits with Secure Bypass functionality.

    The new ransomware strain incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain of these older malware strains. However, HybridPetya's developer has added new features such as installation into the EFI System Partition and the ability to bypass Secure Boot by exploiting the CVE-2024-7344 vulnerability.

    ESET discovered the flaw in January this year, The issue consists in Microsoft-signed applications that could be exploited to deploy bootkits even with Secure Boot protection active on the target. This vulnerability allows HybridPetya to drop a malicious bootkit into the EFI System partition consisting of several files, including configuration and validation files, a modified bootloader, a fallback UEFI bootloader, an exploit payload container, and a status file that tracks the encryption progress.

    The ransomware replaces \EFI\Microsoft\Boot\bootmgfw.efi with the vulnerable ‘reloader.efi,’ and removes \EFI\Boot\bootx64.efi. The original Windows bootloader is also saved to be activated in the case of successful restoration, meaning that the victim paid the ransom.

    Upon launch, HybridPetya determines if the host uses UEFI with GPT partitioning and drops a malicious bootkit into the EFI System partition. These files include:

    * \EFI\Microsoft\Boot\config (encryption flag + key + nonce + victim ID)
    * \EFI\Microsoft\Boot\verify (used to validate correct decryption key)
    * \EFI\Microsoft\Boot\counter (progress tracker for encrypted clusters)
    * \EFI\Microsoft\Boot\bootmgfw.efi.old (backup of original bootloader)
    * \EFI\Microsoft\Boot\cloak.dat (contains XORed bootkit in Secure Boot bypass variant)

    HybridPetya triggers a BSOD displaying a bogus error, as Petya did, and forces a system reboot, allowing the malicious bootkit to execute upon system boot. At this step, the ransomware encrypts all MFT clusters using a Salsa20 key and nonce extracted from the config file while displaying a fake CHKDSK message, like NotPetya.

    Once the encryption completes, another reboot is triggered and the victim is served a ransom note during system boot, demanding a Bitcoin payment of $1,000. In exchange, the victim is provided a 32-character key they can enter on the ransom note screen, which restores the original bootloader, decrypts the clusters, and prompts the user to reboot.

    While HybridPetya has not been observed in any real attacks in the wild, similar projects may choose to weaponize the PoC and use it in broad campaigns targeting unpatched Windows systems at any time. Indicators of compromise to help defend against this threat have been made available on a GitHub repository.

    Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday, so Windows systems that have applied this or later security updates are protected from HybridPetya. Another solid practice against ransomware is to keep offline backups of your most important data, allowing free and easy system restoration.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/New-HybridPetya-Ransomware-Bypassing-UEFI-Secure-Boot-to-Encrypt-Computers-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/new-hybridpetya-ransomware-can-bypass-uefi-secure-boot/

  • https://www.eset.com/us/about/newsroom/research/eset-research-discovers-hybridpetya-ransomware-secure-boot-bypass/


    • Published: Fri Sep 12 12:48:45 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us