ESET Identifies HybridPetya Ransomware Bypassing UEFI Secure Boot

Researchers have identified a new ransomware strain called HybridPetya, which emulates the notorious Petya/NotPetya malware but adds advanced capabilities to compromise UEFI-based systems by exploiting the CVE-2024-7344 vulnerability to bypass UEFI Secure Boot on outdated Windows systems. Unlike NotPetya, HybridPetya acts as true ransomware by allowing victims to decrypt their files, demanding a ransom payment of $1,000 in bitcoin after encrypting the Master File Table of NTFS partitions. The malware installs a malicious EFI application to the EFI System Partition to carry out encryption and displays a fake CHKDSK status before rebooting the system. While no evidence shows HybridPetya has been deployed in the wild yet, researchers discovered its components, including bootkit variants and installers, on VirusTotal, suggesting it might be a research project or proof of concept. HybridPetya joins a limited group of real or proof-of-concept UEFI bootkits capable of evading detection by antivirus software and surviving OS reinstalls, posing a significant security threat by targeting firmware. ESET and other security firms have published detailed technical analyses of HybridPetya's operation and the Secure Boot bypass it exploits, highlighting ongoing risks to system firmware security.