A newly discovered ransomware strain dubbed HybridPetya has raised alarms in the cybersecurity community for its ability to bypass UEFI Secure Boot protections and install a malicious bootkit within the EFI System Partition. Researchers at ESET uncovered the malware, which appears to borrow heavily from the infamous Petya and NotPetya families that caused widespread disruption in 2016 and 2017. Unlike those destructive attacks, however, HybridPetya introduces new technical features that make it potentially more dangerous if weaponized.
The ransomware demonstrates the growing sophistication of bootkit-based threats. By exploiting CVE-2024-7344, a vulnerability affecting Microsoft-signed applications, HybridPetya can deploy its malicious payload even on systems with Secure Boot enabled. This bypass capability places it alongside other advanced bootkits such as BlackLotus, BootKitty, and Hyper-V Backdoor, all of which illustrate the escalating risks of UEFI exploitation.
Once executed, HybridPetya checks if the target system uses UEFI with GPT partitioning before dropping its malicious components into the EFI System Partition. These files include a modified bootloader, encryption trackers, validation mechanisms, and a cloaked payload designed to evade detection. The malware cleverly saves the original Windows bootloader to enable restoration—if the victim pays the demanded ransom of $1,000 in Bitcoin.
Like its predecessors, HybridPetya deploys visual tricks to mask its operations. Victims see a fake Blue Screen of Death (BSOD) followed by a bogus CHKDSK message while the malware silently encrypts Master File Table (MFT) clusters using the Salsa20 algorithm. After a reboot, users are presented with a ransom note demanding payment and providing instructions for decryption.
For now, HybridPetya has not been detected in real-world campaigns, and researchers suggest it could be a proof-of-concept or early-stage cybercrime tool under limited testing. Nevertheless, its existence underscores the persistent dangers posed by UEFI bootkits, which allow attackers to gain control at one of the lowest levels of a system. This persistence makes remediation far more complex than with traditional ransomware.
The good news is that Microsoft patched CVE-2024-7344 during its January 2025 Patch Tuesday, meaning updated Windows systems are shielded from this exploit. Security experts urge organizations and individuals to apply updates promptly, maintain offline backups, and monitor GitHub repositories publishing indicators of compromise for defensive purposes.
In conclusion, HybridPetya serves as a stark reminder that ransomware is evolving beyond traditional entry points, targeting firmware-level vulnerabilities that can undermine even robust security measures. While this particular strain may not yet be circulating widely, its technical design suggests that similar projects could soon be adapted into real-world attacks. Staying patched, practicing strong backup strategies, and reinforcing UEFI security are critical steps to prevent being caught off guard by the next evolution of ransomware.
