New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit
Summary:
ESET Research has discovered HybridPetya, a modern copycat of the destructive Petya/NotPetya malware family. The samples, first uploaded to VirusTotal in early 2025, mimic many of the techniques used in prior outbreaks but introduce several new capabilities. HybridPetya encrypts the Master File Table on NTFS partitions, disrupting access to all files, and extends its reach to UEFI-based systems by dropping a malicious EFI application into the EFI System Partition. This positions the malware to interfere with the system before the operating system even loads, significantly complicating recovery. One variant also leverages CVE-2024-7344, a Secure Boot bypass vulnerability, through a crafted cloak.dat file, allowing execution on outdated or unpatched systems. Unlike NotPetya, which functioned as a wiper, HybridPetya retains functional ransomware features, its encryption scheme theoretically allows operators to provide victims with decryption keys. While ESET telemetry has not observed HybridPetya deployed in active campaigns, its technical sophistication highlights a growing evolution in ransomware families toward firmware-level targeting and Secure Boot exploitation.
Security Officer Comments:
HybridPetya demonstrates how threat actors are adapting destructive malware concepts into more financially motivated ransomware operations. By combining traits of both Petya and NotPetya, this strain bridges the gap between pure destruction and monetization. Its ability to compromise UEFI firmware environments makes it especially dangerous, since traditional OS-level defenses may be bypassed, persistence becomes harder to remove, and recovery often requires full system reimaging. The use of CVE-2024-7344 further shows how attackers are integrating known vulnerabilities into ransomware delivery chains to maximize reach. Although currently no evidence suggests HybridPetya is spreading in the wild, the malware’s design strongly suggests it may be in an experimental stage or proof-of-concept that could later be weaponized in targeted attacks. Security teams should treat it as an early warning of a new class of ransomware that blends traditional disk encryption with advanced firmware exploitation, making detection and remediation significantly more complex.
Suggested Corrections:
https://thehackernews.com/2025/09/new-hybridpetya-ransomware-bypasses.html
https://www.welivesecurity.com/en/e...tya-notpetya-copycat-uefi-secure-boot-bypass/
ESET Research has discovered HybridPetya, a modern copycat of the destructive Petya/NotPetya malware family. The samples, first uploaded to VirusTotal in early 2025, mimic many of the techniques used in prior outbreaks but introduce several new capabilities. HybridPetya encrypts the Master File Table on NTFS partitions, disrupting access to all files, and extends its reach to UEFI-based systems by dropping a malicious EFI application into the EFI System Partition. This positions the malware to interfere with the system before the operating system even loads, significantly complicating recovery. One variant also leverages CVE-2024-7344, a Secure Boot bypass vulnerability, through a crafted cloak.dat file, allowing execution on outdated or unpatched systems. Unlike NotPetya, which functioned as a wiper, HybridPetya retains functional ransomware features, its encryption scheme theoretically allows operators to provide victims with decryption keys. While ESET telemetry has not observed HybridPetya deployed in active campaigns, its technical sophistication highlights a growing evolution in ransomware families toward firmware-level targeting and Secure Boot exploitation.
Security Officer Comments:
HybridPetya demonstrates how threat actors are adapting destructive malware concepts into more financially motivated ransomware operations. By combining traits of both Petya and NotPetya, this strain bridges the gap between pure destruction and monetization. Its ability to compromise UEFI firmware environments makes it especially dangerous, since traditional OS-level defenses may be bypassed, persistence becomes harder to remove, and recovery often requires full system reimaging. The use of CVE-2024-7344 further shows how attackers are integrating known vulnerabilities into ransomware delivery chains to maximize reach. Although currently no evidence suggests HybridPetya is spreading in the wild, the malware’s design strongly suggests it may be in an experimental stage or proof-of-concept that could later be weaponized in targeted attacks. Security teams should treat it as an early warning of a new class of ransomware that blends traditional disk encryption with advanced firmware exploitation, making detection and remediation significantly more complex.
Suggested Corrections:
- Apply UEFI Secure Boot updates: Ensure the Microsoft January 2025 dbx update is applied to block CVE-2024-7344 exploitation.
- Keep firmware and bootloaders patched: Regularly update UEFI/BIOS firmware and revoke vulnerable binaries.
- Monitor boot integrity: Deploy EDR and firmware security tools that check for unauthorized EFI modifications.
- Restrict admin/system-level access: Minimize exposure of functions that could allow EFI partition changes.
- Strengthen recovery strategies: Maintain offline, immutable backups and validated disaster recovery procedures to counter MFT encryption scenarios.
https://thehackernews.com/2025/09/new-hybridpetya-ransomware-bypasses.html
https://www.welivesecurity.com/en/e...tya-notpetya-copycat-uefi-secure-boot-bypass/