HybridPetya: The New Ransomware Bypassing Secure Boot

Researchers at ESET have reported the emergence of a new ransomware strain dubbed HybridPetya, which blends techniques from the notorious Petya and NotPetya families while adding the ability to bypass Secure Boot on UEFI-based systems. To achieve this, attackers exploited CVE-2024-7344, a vulnerability patched in January 2025 that allowed the execution of forged EFI applications without integrity verification.

Samples of the malware first appeared on VirusTotal in February 2025. Unlike earlier Petya variants, this version can implant its EFI component directly into the EFI System Partition, leveraging it to encrypt the Master File Table (MFT), which stores metadata for all data on NTFS partitions. During the process, HybridPetya displays a fake disk check message, concealing the encryption in progress.

The ransomware architecture consists of two core components: an installer and a bootkit. The bootkit manages configuration and encryption status through a three-state flag: “0” — ready to encrypt, “1” — disk encrypted, “2” — ransom paid, decryption initiated. When set to the first mode, the bootkit employs the Salsa20 algorithm to encrypt the file \EFI\Microsoft\Boot\verify and creates a service file named counter in the EFI partition to track encrypted clusters. It then begins locking all NTFS partitions.

Once the process is complete, victims are presented with a ransom note demanding $1,000 in Bitcoin. Between February and May 2025, only about $183 was transferred to the listed address, which is now empty.

After payment, victims supposedly receive a decryption key to unlock the verify file and switch the flag to “2.” The bootkit then references the counter file, sequentially decrypts the clusters, and restores the original bootloaders bootx64.efi and bootmgfw.efi from backups. Finally, the system prompts a Windows reboot.

HybridPetya distinguishes itself through the installer’s modifications to system bootloaders, which deliberately trigger a crash and a “blue screen,” ensuring the malicious EFI module loads during the next startup. Some variants exploit CVE-2024-7344 through the Howyar Reloader (reloader.efi) component. Renamed bootmgfw.efi, this binary searches the partition for cloak.dat, where the encrypted bootkit resides, and loads it while bypassing integrity checks—thus circumventing Secure Boot. Microsoft revoked the vulnerable binary in its January update.

According to ESET, no infections in real-world environments have yet been observed, and the discovered samples may represent a proof-of-concept project. The researchers link HybridPetya to an earlier UEFI-based Petya prototype released by independent researcher Alexandra Donech. As such, it remains unclear whether the malware is an imminent threat or an experimental build.

HybridPetya is now the fourth publicly known bootkit capable of bypassing Secure Boot. Predecessors include BlackLotus (exploiting CVE-2022-21894), BootKitty (the LogoFail attack), and the Hyper-V Backdoor PoC (exploiting CVE-2020-26200). ESET emphasizes that Secure Boot bypasses are becoming increasingly prevalent, drawing attention from both security researchers and threat actors alike.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy