Today's cybersecurity headlines are brought to you by ThreatPerspective

New HybridPetya Ransomware Threat Spotted: A Comprehensive Analysis

New HybridPetya Ransomware Threat Spotted: A Comprehensive Analysis

Cybersecurity researchers have made a groundbreaking discovery, uncovering a new strain of ransomware dubbed HybridPetya. This sophisticated malware shares similarities with the notorious Petya/NotPetya malware, yet boasts an additional feature that allows it to bypass the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems using a now-patched vulnerability disclosed earlier this year.

The Slovakian cybersecurity company ESET uploaded the samples of HybridPetya to the VirusTotal platform in February 2025. According to Martin Smolár, security researcher at ESET, "HybridPetya encrypts the Master File Table, which contains important metadata about all the files on NTFS-formatted partitions." Unlike its predecessors, HybridPetya can compromise modern UEFI-based systems by installing a malicious EFI application onto the EFI System Partition.

The deployed UEFI application is the central component that takes care of encrypting the Master File Table (MFT) file, which contains metadata related to all the files on the NTFS-formatted partition. HybridPetya comes with two main components: a bootkit and an installer. The former appears in two distinct versions.

The bootkit is chiefly responsible for loading its configuration and checking its encryption status. It can have three different values - 0, ready for encryption; 1, already encrypted; and 2, ransom paid, disk decrypted. Should the value be set to 0, it proceeds to set the flag to 1 and encrypts the "\EFI\Microsoft\Boot\verify" file with the Salsa20 encryption algorithm using the key and nonce specified in the configuration.

Furthermore, the bootkit updates the fake CHKDSK message displayed on the victim's screen with information about the current encryption status. The victim is deceived into thinking that the system is repairing disk errors. If the bootkit detects that the disk is already encrypted (i.e., the flag is set to 1), it serves a ransom note to the victim, demanding them to send $1,000 in Bitcoin to the specified wallet address.

Another key feature of HybridPetya is its ability to exploit CVE-2024-7344, a remote code execution vulnerability in the Howyar Reloader UEFI application that could result in a Secure Boot bypass. This variant also packs in a specially crafted file named "cloak.dat," which is loadable through reloader.efi and contains the XORed bootkit binary.

Microsoft has since revoked the old, vulnerable binary as part of its Patch Tuesday update for January 2025 update. The bootkit updates the fake CHKDSK message displayed on the victim's screen with information about the current encryption status, while the victim is deceived into thinking that the system is repairing disk errors.

The decryption phase involves the bootkit recovering the legitimate bootloaders -- "\EFI\Boot\bootx64.efi" and "\EFI\Microsoft\Boot\bootmgfw.efi" -- from the backups previously created during the installation process. Once this step is complete, the victim is prompted to reboot their Windows machine.

It's worth noting that bootloader changes initiated by the installer during the deployment of the UEFI bootkit component triggers a system crash (aka Blue Screen of Death or BSoD) and ensures that the bootkit binary is executed once the device is turned on.

The variant of HybridPetya has been found to exploit CVE-2024-7344, which carries a CVSS score of 6.7. This vulnerability allows attackers to bypass UEFI Secure Boot protection.

Another notable aspect where HybridPetya and NotPetya differ is that, unlike the latter's destructive capabilities, the newly identified artifact allows the threat actors to reconstruct the decryption key from the victim's personal installation keys. Telemetry data from ESET indicates no evidence of HybridPetya being used in the wild.

The cybersecurity company also pointed out the recent discovery of a UEFI Petya Proof-of-Concept (PoC) by security researcher Aleksandra "Hasherezade" Doniec, adding it's possible there could be "some relationship between the two cases." However, it doesn't rule out the possibility that HybridPetya may also be a PoC.

The emergence of HybridPetya highlights the increasing sophistication of ransomware threats and the importance of staying vigilant in the face of evolving security challenges. The fact that this malware can bypass UEFI Secure Boot protection underscores the need for continuous monitoring and patching to prevent such vulnerabilities from being exploited.