- Researchers identified new Ransomware called HybridPetya that can bypass UEFI Secure Boot security.
- HybridPetya encrypts core system files using an advanced bootkit installed on the device’s EFI System Partition.
- The ransomware exploits a previously patched vulnerability (CVE-2024-7344) to bypass security checks.
- Victims receive a fake repair message, are asked to pay $1,000 in Bitcoin, and can unlock files by providing a purchase key.
- No real-world attacks using HybridPetya have been detected, and it may be a proof-of-concept sample.
Cybersecurity experts from ESET have discovered a new ransomware variant named HybridPetya. This Malware is similar to the earlier Petya and NotPetya attacks but introduces the ability to bypass the Secure Boot mechanism found in modern Unified Extensible Firmware Interface (UEFI) systems. The first samples appeared online in February 2025.
HybridPetya encrypts the Master File Table, a system file that stores metadata for all files on NTFS partitions. According to ESET researcher Martin Smolár, “Unlike the original Petya/NotPetya, HybridPetya can compromise modern UEFI-based systems by installing a malicious EFI application on the EFI System Partition.” The ransomware consists of two main parts: a bootkit and an installer. The bootkit checks if the system is ready for encryption, already encrypted, or if the ransom is paid.
When activating the encryption, HybridPetya modifies the UEFI system’s boot process and uses a cryptographic technique called Salsa20 to encrypt critical files. The ransomware creates a counter file to track what data has been encrypted, and it displays a fake disk repair message to deceive the user. If the ransomware finds the system is already encrypted, it shows a ransom note demanding $1,000 in Bitcoin to unlock the computer. The note directs users to send funds to a specific Bitcoin wallet. This wallet received around $183 between February and May 2025.
After payment, victims can input a decryption key provided by the attacker. If successful, HybridPetya starts decrypting files and restores the system’s original bootloaders. The ransomware uses a specially crafted file called “cloak.dat” and exploits CVE‑2024‑7344, a vulnerability in the Howyar Reloader UEFI application, to bypass Secure Boot protections. Microsoft has already revoked the affected component as part of its January 2025 security update.
Experts note that, unlike NotPetya, HybridPetya allows for decryption if users provide the correct key. ESET’s current data shows no signs the ransomware has been used in actual attacks. The company referenced recent discoveries, including a UEFI Petya Proof-of-Concept by security researcher Aleksandra “Hasherezade” Doniec, which may be related.
HybridPetya joins other UEFI bootkit attacks like BlackLotus and BootKitty, underlining the increasing risk of Secure Boot bypass methods. As ESET explains, “This shows that Secure Boot bypasses are not just possible – they’re becoming more common and attractive to both researchers and attackers.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Shiba Inu Surges as 8 Trillion Coins Move to Self-Custody Wallets
- FTC Orders Tech Giants to Disclose AI Child Safety, Monetization Plans
- China Unveils $10B BRICS Investment, Africa’s Largest Tech Hub
- I Tried AlwaysMoney for “Instant” Crypto Swaps — What Surprised Me, What Didn’t, and Where I’d Be Careful
- Bitcoin Tops $115K as Derivatives Surge, Bulls Target $120K Next
