HybridPetya: Petya clone hits UEFI, dodges Secure Boot

HybridPetya: Petya clone hits UEFI, dodges Secure Boot
September 12, 2025 at 12:00 AM

ESET Research has uncovered HybridPetya, a modern copycat of Petya/NotPetya that targets Windows systems at the UEFI layer. Found on VirusTotal, HybridPetya combines classic MFT encryption with a UEFI bootkit and, on unpatched machines, can bypass Secure Boot by exploiting CVE-2024-7344. While there’s no evidence of in-the-wild use, the toolset shows how boot-level ransomware is evolving.

Key takeaways

  • HybridPetya mimics Petya/NotPetya, but adds UEFI bootkit capability.
  • It encrypts the NTFS Master File Table, effectively crippling file access.
  • One variant can bypass UEFI Secure Boot on outdated systems via CVE-2024-7344.
  • Unlike NotPetya, HybridPetya’s design allows decryption, making it true ransomware rather than pure wiper.
  • No worm-like propagation observed; samples originated from VirusTotal submissions.

What HybridPetya does (high level)

  • Installs a malicious EFI application on the EFI System Partition to seize control before the OS boots.
  • On first run, encrypts the MFT on NTFS partitions and shows a fake disk check screen to disguise activity.
  • After reboot, displays a ransom note and accepts a 32-character key to initiate decryption and restore normal boot flow.
  • The installer hijacks the boot process by replacing the legitimate Windows bootloader, then forces a system crash to trigger the next boot stage.

Secure Boot bypass via CVE-2024-7344

  • A variant leverages a revoked, vulnerable Microsoft-signed UEFI component to load an unsigned payload from a specially crafted data file, sidestepping integrity checks.
  • Systems that have applied Microsoft’s January 2025 dbx update are protected against this technique.

Petya/NotPetya lineage with a twist

  • HybridPetya imitates the user experience and tactics of Petya/NotPetya (including the fake CHKDSK screen) but differs in one critical way: its key handling enables recovery, aligning it more with ransomware than a destructive wiper.
  • Current evidence suggests the samples may be a proof of concept rather than an active campaign.

Why this matters

  • HybridPetya joins a growing list of UEFI bootkits capable of Secure Boot bypasses (e.g., BlackLotus, BootKitty, and the Hyper-V Backdoor PoC). The trend underscores that Secure Boot misconfigurations and outdated revocation lists remain high-value targets.

Defensive guidance

  • Apply the latest UEFI Secure Boot dbx updates (including Microsoft’s January 2025 revocations).
  • Keep firmware and OS fully patched; enable Secure Boot with up-to-date revocation lists.
  • Monitor the EFI System Partition for unauthorized changes and unusual bootloader replacements.
  • Use endpoint protection that can detect pre-OS boot tampering and ransomware behavior.

Source
WeLiveSecurity

Back…