Cybersecurity researchers have discovered a new ransomware stock called Hybridpetya, similar to the infamous Petya/notpetya malware, but it also incorporates the ability to bypass the secure boot mechanism of a unified extended firmware interface (UEFI) system using the vulnerability disclosure possibilities disclosed earlier this year.
Slovakian Cybersecurity Company ESET said the sample was uploaded to the Virustotal platform in February 2025.
“Hybridpetya encrypts a master file table containing important metadata about all files on a partition in NTFS format,” said security researcher Martin Smolár. “Unlike the original Petya/notpetya, Hybridpetya can damage modern UEFI-based systems by installing malicious EFI applications on the EFI system partition.”
In other words, an expanded UEFI application is a central component that handles encrypting Master File Table (MFT) files containing metadata related to all files on a partition in NTFS format.
HybridPetya comes with two main components: BootKit and the installer, the former being displayed in two different versions. BootKit, deployed by the installer, is primarily responsible for loading its configuration and checking its encryption status. It can have three different values -
0- Preparation for encryption 1- Already encrypted, ransom paid, disk decryption
If you set the value to 0, set the flag to 1 and use the SALSA20 encryption algorithm to encrypt the key and non-CE specified in the configuration. Also, create a file called “\efi\microsoft\boot\counter” on the EFI system partition before starting the disk encryption process for all NTFS format partitions. This file is used to track disk clusters that are already encrypted.
Additionally, Bootkit updates the fake CHKDSK messages that appear on the victim’s screen with information about the current encryption status, but the victim is deceived to think that the system is repairing a disk error.
If the bootkit detects that the disk is already encrypted (i.e. the flag is set to 1), it will provide the victim with a ransom note and ask them to send $1,000 in Bitcoin to the specified wallet address (34unkksgzzvf5aybjkua2yyzw89zlwxu2). The wallet is currently empty, but received $183.32 between February and May 2025.
The Ransom Note screen also offers the option to enter the cheating key purchased from the operator after the victim has made the payment. The bootkit then verifies the key and attempts to decrypt the “efi\microsoft\boot\verify” file. If the correct key is entered, the flag value is set to 2 and the decryption step begins by reading the contents of the “\efi\microsoft\boot\counter” file.
“If the number of decrypted clusters is equal to the value from the counter file, the decryption will halt,” Smolár said. “During the MFT decoding process, the boot kit indicates the current decoding process status.”
During the decryption phase, bootkit also involves recovering legitimate bootloaders – “\efi\boot\bootx64.efi” and “\efi\microsoft\boot\bootmgfw.efi” – from a previously created backup. Once this step is complete, the victim will be asked to restart the Windows machine.
It is worth noting that a bootloader change initiated by the installer during deployment of UEFI BootKit components triggers a system crash (aka blue screen or BSOD) and ensures that the boot kit binary runs when the device is turned on.
Some variations of HybridPetya with added ESET have been found to misuse CVE ‑ 2024‑7344 (CVSS score: 6.7). Secure boot bypass.
This variant is also packed into a specially created file named “Cloak.dat” that can be loaded via reloader.efi and contains the Xored Bootkit binary. Microsoft then cancelled the old, vulnerable binaries as part of the patch for the Tuesday update for January 2025 update.
“When the reloader.efi binary (expanded as bootmgfw.efi) is run during boot, it searches for the existence of the cloak.dat file in the EFI system partition, loads embedded UEFI applications from the file in a very irrelevant way, thus completely ignoring the integrity check.
Another aspect of Hybridpetya and Notpetya differs from the latter’s destructive capabilities, where newly identified artifacts allow threat actors to reconstruct decryption keys from victims’ personal facility keys.
Telemetry data from ESET show that there is no evidence that hybrid petia is being used in the wild. The cybersecurity company also pointed to recent discoveries of UEFI Petya’s proof of concept (POC) by security researcher Aleksandra “Hasherezade” Doniec, adding that there could be “some relationship between the two cases.” However, Hybridpetya doesn’t rule out the possibility that it is a POC either.
“HybridPetya is now at least the fourth publicly known example of a real or proof-of-concept UEFI bootkit with UEFI Secure Boot bypass functionality, joining BlackLotus (exploiting CVE‑2022‑21894), BootKitty (exploiting LogoFail), and the Hyper-V Backdoor PoC (exploiting CVE‑2020‑26200),” ESET said.
“This shows that not only is it possible to secure boot bypassing, it’s becoming more common and attractive to both researchers and attackers.”
Source link
