ESET Research has uncovered a sophisticated new ransomware variant called HybridPetya, discovered on the VirusTotal sample sharing platform.
This malware represents a dangerous evolution of the infamous Petya/NotPetya ransomware family, incorporating advanced capabilities to compromise UEFI-based systems and exploit CVE-2024-7344 to bypass UEFI Secure Boot protections on vulnerable systems.
Unlike its predecessors, HybridPetya demonstrates significant technical advancement by targeting modern UEFI-based systems.
The malware installs a malicious EFI application directly onto the EFI System Partition, giving it unprecedented control over the boot process.
This technique allows the ransomware to operate at a lower level than traditional malware, making it extremely difficult to detect and remove using conventional security tools.
The malware’s most concerning feature is its exploitation of CVE-2024-7344, a critical UEFI Secure Boot bypass vulnerability that ESET Research previously disclosed in early 2025.
By leveraging a specially crafted cloak.dat file, HybridPetya can circumvent Secure Boot protections on outdated systems that haven’t received Microsoft’s January 2025 security updates.
Security experts note that HybridPetya represents at least the fourth publicly known example of UEFI bootkit malware with Secure Boot bypass functionality, joining BlackLotus, BootKitty, and the Hyper-V Backdoor proof-of-concept.
This bypass capability makes the malware particularly dangerous for organizations running legacy systems or those with delayed patch management cycles.
Technical Analysis and Attack Methodology
HybridPetya employs the same destructive encryption methodology as its predecessors, targeting the Master File Table (MFT) on NTFS-formatted partitions.
The MFT contains critical metadata about all files on the system, and its encryption effectively renders the entire system unusable until the ransom is paid.
The malware uses the Salsa20 encryption algorithm with a 32-byte key and 8-byte nonce, displaying a fake CHKDSK message during the encryption process to deceive victims into believing their system is undergoing routine maintenance.
The ransomware samples were first uploaded to VirusTotal in February 2025 from Poland, using filenames such as “notpetyanew.exe” that clearly indicate their connection to the original NotPetya campaign.
However, unlike the purely destructive NotPetya malware that caused over $10 billion in damages during the 2017 attacks, HybridPetya appears to function as legitimate ransomware, with operators capable of providing decryption keys upon payment.
ESET telemetry indicates that HybridPetya is not currently being used in active campaigns, suggesting it may still be in development or proof-of-concept stages.
The malware lacks the aggressive network propagation capabilities that made NotPetya so devastating, potentially limiting its spread.
However, security researchers warn that the technical sophistication demonstrated in these samples makes HybridPetya a significant threat for future monitoring.
The ransomware displays ransom notes similar to the original NotPetya, demanding payment in Bitcoin to addresses controlled by the operators.
The ransom amount and specific payment instructions differ from the original NotPetya campaigns, indicating this is the work of different threat actors.
This trend demonstrates that UEFI Secure Boot bypasses are becoming increasingly common and attractive to both security researchers and malicious actors.
Organizations can protect themselves by ensuring their systems have received Microsoft’s January 2025 security updates, which address the CVE-2024-7344 vulnerability.
Regular security assessments, endpoint protection solutions, and maintaining current patch levels remain essential defenses against this emerging threat category.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
