New Ransomware Strain: Understanding HybridPetya
Cybersecurity has always been a moving target, with new threats emerging regularly. Recently, researchers at ESET have identified a new ransomware strain known as HybridPetya, which bears a striking resemblance to the infamous Petya and NotPetya malware. This new variant introduces troubling features, including the ability to bypass Secure Boot mechanisms in Unified Extensible Firmware Interface (UEFI) systems, leveraging a patched vulnerability that was disclosed earlier this year.
What is HybridPetya?
According to ESET, the first samples of HybridPetya were uploaded to the VirusTotal platform in February 2025. This ransomware strain mainly targets the Master File Table (MFT), crucial for storing metadata about files on NTFS-formatted partitions. Martin Smolár, a researcher at ESET, emphasized that HybridPetya’s ability to affect modern UEFI-based systems distinguishes it from its predecessors. It achieves this by installing a malicious EFI application onto the EFI System Partition.
How Does HybridPetya Function?
The core functionality of HybridPetya revolves around two main components: a bootkit and an installer. The bootkit is available in two versions and is responsible for loading the configuration and tracking the encryption status of the affected system. The status can be categorized into three states:
- 0 – Ready for encryption.
- 1 – Already encrypted.
- 2 – Ransom paid and disk decrypted.
If the system is in state 0, the bootkit will set it to 1 and commence the encryption process. This involves encrypting a file named \EFI\Microsoft\Boot\verify using the Salsa20 encryption algorithm based on predefined keys. Moreover, the bootkit creates a file named \EFI\Microsoft\Boot\counter on the EFI System Partition, which is critical for tracking which disk clusters have already been encrypted.
Deceptive Operations and Ransom Demands
The malicious bootkit updates a fake CHKDSK message on the victim’s screen, misleading them into believing that their system is undergoing repair. If the system is already encrypted, the bootkit prompts a ransom note, demanding payment of $1,000 in Bitcoin.
Interestingly, although the specific wallet has seen no transactions after the $183.32 it received between February and May 2025, it remains a crucial element in the ransom process. Victims are instructed to enter a "deception key" purchased from the attacker to unlock their files. If the correct key is submitted, the bootkit attempts to decrypt the \EFI\Microsoft\Boot\verify file, continuing the decryption process until all clusters have been accessed.
Bootkit Features and Impact
One of the more alarming features of HybridPetya is its ability to alter bootloaders, leading to a Blue Screen of Death (BSoD)—essentially crashing the system and ensuring that the malicious binary executes on the next boot. Specific variants of HybridPetya have been found to exploit CVE-2024-7344, a known remote code execution vulnerability that results in a Secure Boot bypass.
In this case, the installer deploys a specially crafted file named cloak.dat, which contains the XORed bootkit binary. During execution, the reloader.efi file aggressively bypasses integrity checks, allowing it to compromise the Secure Boot environment easily.
Comparison with NotPetya
HybridPetya also presents notable differences from its predecessor, NotPetya. While NotPetya was known for its destructive nature, HybridPetya allows attackers to reconstruct the decryption key using victims’ personal installation keys, highlighting a shift in strategy among attackers.
Current Status of HybridPetya
As of now, ESET has not observed any active usage of HybridPetya in the wild. However, they point to the recent PoC development for a UEFI Petya by security researcher Aleksandra “Hasherezade” Doniec, hinting at possible connections between these cybersecurity threats.
HybridPetya is now among the fourth publicly recognized instances of a UEFI bootkit capable of bypassing Secure Boot. Previous examples include BlackLotus, BootKitty, and a Hyper-V Backdoor PoC, emphasizing the growing prevalence of such vulnerabilities in modern systems.
The rise of UEFI Secure Boot bypasses showcases the increasing sophistication of cyber threats, capturing the attention of both security researchers and malicious actors alike.
In conclusion, staying informed about evolving threats like HybridPetya is essential in the fight against ransomware and protecting sensitive data across various sectors.
