ESET specialists discovered a new piece of ransomware, HybridPetya, which can bypass UEFI Secure Boot protection to install a malicious application in the EFI system partition. It is believed that HybridPetya was inspired by the destructive Petya/NotPetya malware, which encrypted computers with no possibility of recovery in 2016–2017.
Researchers have found a HybridPetya sample on VirusTotal. They note that it may be a research project, a proof-of-concept, or an early version of a hacking tool that is still in a limited testing phase.
However, even now HybridPetya is a UEFI bootkit with Secure Boot bypass capabilities and a real threat, just like other similar malware (BlackLotus, BootKitty, and Hyper-V Backdoor).
HybridPetya combines characteristics of Petya and NotPetya, copying the visual style and even the attack chain of these malware families. However, the developers have added new elements, including installing the malware in the EFI System Partition and the ability to bypass Secure Boot by exploiting the CVE-2024-7344 vulnerability.
This vulnerability was discovered by ESET analysts in early 2025. As a reminder, the issue involves a Microsoft-signed application that can be used to install bootkits, even with Secure Boot enabled. The vulnerable UEFI application is used in several third-party system recovery tools.
Microsoft fixed CVE-2024-7344 in January 2025, so Windows systems with this or later security updates installed should be protected against HybridPetya.
On startup, HybridPetya determines whether the host uses UEFI with GPT partitioning and drops a bootkit, consisting of several files, into the EFI System Partition. These include configuration and validation files, a modified bootloader, a fallback UEFI bootloader, an exploit payload container, and a state file that tracks the encryption progress.
The original Windows bootloader is also preserved (for system recovery in case the victim pays the ransom).
After deployment, HybridPetya triggers a BSOD displaying a fake error, as Petya did, and forcibly reboots the system, which allows the bootkit to execute during startup.
At this stage, the malware encrypts all MFT (Master File Table) clusters using a Salsa20 key and nonce extracted from the configuration file, while simultaneously displaying a fake CHKDSK message, as NotPetya did.
After the encryption is complete, the system reboots once more, after which the victim is shown a ransom note demanding $1,000 in Bitcoin.
If the ransom is paid, the victim is provided with a 32-character key that must be entered on the ransom screen. This operation restores the original bootloader, decrypts the clusters, and prompts the user to reboot the computer.
At the moment, the wallet mentioned in the hackers’ message is empty. However, from February to May 2025, it received $183.32.
Although HybridPetya has not yet been observed in real-world attacks, researchers warn that this PoC could at any moment turn into a real threat and be used in campaigns targeting unpatched Windows systems.
Indicators of compromise have already been published on GitHub.