A newly identified ransomware variant called HybridPetya has emerged with the ability to bypass UEFI Secure Boot protections and install a malicious bootkit on the EFI System Partition.
The malware takes inspiration from the infamous Petya and NotPetya strains that caused widespread damage in 2016 and 2017 by encrypting systems and blocking Windows from starting, with no recovery option for victims.
According to researchers at cybersecurity company ESET, a sample of HybridPetya was uploaded to VirusTotal. While it may currently be a proof-of-concept, an experimental project, or an early-stage cybercrime tool, its discovery highlights the growing risk of UEFI bootkits with Secure Boot bypass capabilities. Similar threats include BlackLotus, BootKitty, and Hyper-V Backdoor.
HybridPetya not only mimics the attack chain and interface of its predecessors but also introduces advanced features like installation in the EFI System Partition and a Secure Boot bypass using the CVE-2024-7344 vulnerability.
ESET, which discovered this flaw in January 2025, explains that the issue stemmed from Microsoft-signed applications that attackers could exploit to load bootkits despite Secure Boot being enabled. When executed, HybridPetya checks if the system uses UEFI with GPT partitioning before dropping several malicious files into the EFI partition, including:
- \EFI\Microsoft\Boot\config (encryption flag, key, nonce, victim ID)
- \EFI\Microsoft\Boot\verify (validates decryption key)
- \EFI\Microsoft\Boot\counter (tracks encryption progress)
- \EFI\Microsoft\Boot\bootmgfw.efi.old (backup of Windows bootloader)
- \EFI\Microsoft\Boot\cloak.dat (XORed bootkit in Secure Boot bypass variant)
The ransomware also replaces the original bootloader with the vulnerable reloader.efi and deletes \EFI\Boot\bootx64.efi. If a ransom is paid, the saved bootloader can restore normal system startup.
Upon deployment, HybridPetya causes a fake Blue Screen of Death (BSOD), reboots the device, and launches the malicious bootkit. It then encrypts MFT clusters using a Salsa20 key from the config file while displaying a fake CHKDSK screen, similar to NotPetya.
After encryption, another reboot follows, and victims see a ransom note demanding $1,000 in Bitcoin. In return, they are promised a 32-character decryption key to restore files and the original bootloader.
Currently, HybridPetya has not been linked to real-world attacks, but security experts warn it could be weaponized in future campaigns against unpatched Windows systems. Indicators of compromise (IoCs) have been published on GitHub to help organizations defend against this ransomware.
Microsoft patched CVE-2024-7344 in the January 2025 Patch Tuesday update, securing systems that have applied the fix. Experts also recommend maintaining offline backups as a strong defense against ransomware incidents.