HybridPetya: the ransomware that slips past Secure Boot
Security researchers (ESET) have analysed a new ransomware strain dubbed HybridPetya, which echoes Petya/NotPetya but adds a modern twist: it can bypass UEFI Secure Boot using a now-patched flaw (CVE-2024-7344) in a UEFI component. Samples appeared on VirusTotal in February 2025. HybridPetya works via an installer + bootkit combo that plants a malicious EFI app on the EFI System Partition, then encrypts the NTFS Master File Table (MFT)—all while displaying a fake CHKDSK screen to mask what’s happening. A status flag tracks whether the disk is ready, encrypted, or paid/decrypted. The ransom note demands $1,000 in Bitcoin. If a key is entered, the bootkit restores backed-up bootloaders and reverses the encryption using a counter file. Some variants exploit the CVE-2024-7344 Secure Boot bypass; Microsoft revoked the vulnerable binary in January 2025 updates. ESET says there’s no evidence of in-the-wild use yet; it may be a proof-of-concept. It sits alongside past UEFI bootkits like BlackLotus and others, underscoring growing interest in pre-OS malware.
Remember Petya/NotPetya? Meet HybridPetya—the modern remix that doesn’t just scramble files; it sneaks under Windows by abusing UEFI, the firmware that starts your PC before the operating system even wakes up. Cheery.
What’s new here?
HybridPetya uses a two-piece act: an installer and a bootkit. The installer plants a malicious EFI app on the system’s special boot partition. On restart, the bootkit encrypts the Master File Table (MFT)—the index of everything on your NTFS drive—while flashing up a convincing fake CHKDSK screen so you won’t panic until it’s too late.
The Secure Boot sidestep
Some variants exploit a UEFI vulnerability (CVE-2024-7344) that let them bypass Secure Boot checks. Microsoft has revoked the dodgy component in its 2025 updates, but outdated machines could still be at risk.
Ransom routine
Once done, you get a $1,000 Bitcoin demand. Enter the right key and the bootkit restores the legitimate bootloaders and undoes the damage—because yes, this one actually supports decryption (unlike its more destructive ancestors).
Is it in the wild?
So far, there’s no confirmed real-world outbreak. It may be a proof-of-concept—albeit a very polished one—which proves a point: UEFI-level attacks are on the rise and happily sidestep traditional security tools.
What to do (right now)
• Patch firmware/UEFI and apply Microsoft’s latest revocation lists.
• Enable Secure Boot and keep it current.
• Monitor for boot changes and unusual firmware behaviour.
• Back up properly (offline copies, tested restores).
• Educate users—that fake repair screen isn’t your friend.