Cybersecurity researchers have found a brand new ransomware pressure dubbed HybridPetya that resembles the infamous Petya/NotPetya malware, whereas additionally incorporating the flexibility to bypass the Safe Boot mechanism in Unified Extensible Firmware Interface (UEFI) methods utilizing a now-patched vulnerability disclosed earlier this yr.
Slovakian cybersecurity firm ESET mentioned the samples had been uploaded to the VirusTotal platform in February 2025.
“HybridPetya encrypts the Grasp File Desk, which incorporates necessary metadata about all of the information on NTFS-formatted partitions,” safety researcher Martin Smolár mentioned. “In contrast to the unique Petya/NotPetya, HybridPetya can compromise trendy UEFI-based methods by putting in a malicious EFI utility onto the EFI System Partition.”
In different phrases, the deployed UEFI utility is the central part that takes care of encrypting the Grasp File Desk (MFT) file, which incorporates metadata associated to all of the information on the NTFS-formatted partition.
HybridPetya comes with two fundamental parts: a bootkit and an installer, with the previous showing in two distinct variations. The bootkit, which is deployed by the installer, is mainly answerable for loading its configuration and checking its encryption standing. It could actually have three totally different values –
- 0 – prepared for encryption
- 1 – already encrypted, and
- 2 – ransom paid, disk decrypted
Ought to the worth be set to 0, it proceeds to set the flag to 1 and encrypts the EFIMicrosoftBootverify file with the Salsa20 encryption algorithm utilizing the important thing and nonce specified within the configuration. It additionally creates a file referred to as “EFIMicrosoftBootcounter” on the EFI System Partition previous to launching the disk encryption means of all NTFS-formatted partitions. The file is used to maintain observe of the already encrypted disk clusters.
Moreover, the bootkit updates the pretend CHKDSK message displayed on the sufferer’s display with details about the present encryption standing, whereas the sufferer is deceived into pondering that the system is repairing disk errors.
If the bootkit detects that the disk is already encrypted (i.e., the flag is ready to 1), it serves a ransom notice to the sufferer, demanding them to ship $1,000 in Bitcoin to the required pockets tackle (34UNkKSGZZvf5AYbjkUa2yYYzw89ZLWxu2). The pockets is at present empty, though it has acquired $183.32 between February and Could 2025.
The ransom notice display additionally supplies an possibility for the sufferer to enter the deception key bought from the operator after making the fee, following which the bootkit verifies the important thing and makes an attempt to decrypt the “EFIMicrosoftBootverify” file. Within the occasion the proper key’s entered, the flag worth is ready to 2 and kicks off the decryption step by studying the contents of the “EFIMicrosoftBootcounter” file.
“The decryption stops when the variety of decrypted clusters is the same as the worth from the counter file,” Smolár mentioned. “Through the means of MFT decryption, the bootkit reveals the present decryption course of standing.”
The decryption section additionally includes the bootkit recovering the respectable bootloaders — “EFIBootbootx64.efi” and “EFIMicrosoftBootbootmgfw.efi” — from the backups beforehand created in the course of the set up course of. As soon as this step is full, the sufferer is prompted to reboot their Home windows machine.
It is price noting that bootloader modifications initiated by the installer in the course of the deployment of the UEFI bootkit part triggers a system crash (aka Blue Display screen of Loss of life or BSoD) and ensures that the bootkit binary is executed as soon as the system is turned on.
Choose variants of HybridPetya, ESET added, have been discovered to take advantage of CVE‑2024‑7344 (CVSS rating: 6.7), a distant code execution vulnerability within the Howyar Reloader UEFI utility (“reloader.efi”, renamed within the artifact as “EFIMicrosoftBootbootmgfw.efi”) that might end in a Safe Boot bypass.
The variant additionally packs in a specifically crafted file named “cloak.dat,” which is loadable by means of reloader.efi and incorporates the XORed bootkit binary. Microsoft has since revoked the outdated, susceptible binary as a part of its Patch Tuesday replace for January 2025 replace.
“When the reloader.efi binary (deployed as bootmgfw.efi) is executed throughout boot, it searches for the presence of the cloak.dat file on the EFI System Partition, and masses the embedded UEFI utility from the file in a really unsafe method, fully ignoring any integrity checks, thus bypassing UEFI Safe Boot,” ESET mentioned.
One other side the place HybridPetya and NotPetya differ is that, not like the latter’s damaging capabilities, the newly recognized artifact permits the menace actors to reconstruct the decryption key from the sufferer’s private set up keys.
Telemetry information from ESET signifies no proof of HybridPetya getting used within the wild. The cybersecurity firm additionally identified the current discovery of a UEFI Petya Proof-of-Idea (PoC) by safety researcher Aleksandra “Hasherezade” Doniec, including it is doable there may very well be “some relationship between the 2 circumstances.” Nonetheless, it does not rule out the chance that HybridPetya may additionally be a PoC.
“HybridPetya is now no less than the fourth publicly recognized instance of an actual or proof-of-concept UEFI bootkit with UEFI Safe Boot bypass performance, becoming a member of BlackLotus (exploiting CVE‑2022‑21894), BootKitty (exploiting LogoFail), and the Hyper-V Backdoor PoC (exploiting CVE‑2020‑26200),” ESET mentioned.
“This reveals that Safe Boot bypasses usually are not simply doable – they’re turning into extra frequent and engaging to each researchers and attackers.”
UEFI, successor to the Primary Enter/Output System (BIOS), is a profitable goal for attackers. As a result of UEFI runs earlier than a machine’s working system on startup, malware able to infecting the boot course of permits it to bypass conventional safety software program, execute malicious code with high-level privileges, and make it extraordinarily stealthy and resilient to removing.
The invention of HybridPetya comes as safety researcher FFRI Safety Kazuki Matsuo detailed a way referred to as Shade BIOS that enables malware to function fully unbiased from working system-level safety and carry out nefarious actions with out {hardware} dependence at runtime.
It has been described as a “pure-BIOS” malware that retains BIOS in reminiscence even after OS boot, permitting UEFI performance and the usage of drivers throughout runtime – giving it the ability to subvert each single sort of cybersecurity safety.
Shade BIOS “disassociate[s] UEFI malware from OS-level safety,” Matsuo mentioned in a Black Hat 2025 presentation final month, and that it does not have to know what system the goal is utilizing or implement all driver stack or entry I/O instantly.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a world community of future-focused thinkers.
Unlock tomorrow’s traits at the moment: learn extra, subscribe to our publication, and turn out to be a part of the NextTech neighborhood at NextTech-news.com
