New Ransomware Strain,hybridpetya,Surfaces with UEFI Exploitation Capabilities
A new ransomware strain dubbed HybridPetya was discovered in February 2025 on the virustotal platform,exhibiting characteristics reminiscent of the devastating NotPetya malware. While currently showing no signs of active widespread deployment, HybridPetya distinguishes itself through its ability to compromise Unified Extensible Firmware Interface (UEFI)-based systems.
The malware shares meaningful code similarities with both Petya and NotPetya, but introduces new functionalities. Unlike NotPetya, which caused over $10 billion in global damages in 2017 by rendering recovery impractical, HybridPetya allows for data restoration with the correct decryption key, functioning more akin to traditional ransomware.
HybridPetya targets NTFS partitions by encrypting the Master File Table (MFT), a critical component for file location mapping. Analysis by ESET Research reveals the malware installs a malicious EFI application onto the EFI System Partition, establishing persistence below the operating system level.
A key feature of HybridPetya is its exploitation of CVE-2024-7344, a vulnerability allowing attackers to bypass UEFI Secure Boot on unpatched systems. this bypass is achieved by loading a crafted “cloak.dat” file through a signed, yet vulnerable, Microsoft application.
Key characteristics of HybridPetya include:
* Encryption of the NTFS Master file Table using the Salsa20 algorithm.
* Installation of a UEFI bootkit that executes prior to operating system loading.
* Exploitation of CVE-2024-7344 to circumvent Secure Boot protections.
* Support for data recovery upon decryption key entry.
The emergence of HybridPetya aligns with a growing trend of targeting system startup protections, as demonstrated by other advanced UEFI bootkits like blacklotus. While its current status remains uncertain – whether an active threat or a proof of concept – HybridPetya highlights the increasing sophistication of ransomware and the adaptation of attackers to exploit deeper, more resilient compromise methods. Notably, HybridPetya lacks the self-propagating network capabilities present in NotPetya.
