ESET Analysis has uncovered a complicated new ransomware variant referred to as HybridPetya, found on the VirusTotal pattern sharing platform.
This malware represents a harmful evolution of the notorious Petya/NotPetya ransomware household, incorporating superior capabilities to compromise UEFI-based methods and exploit CVE-2024-7344 to bypass UEFI Safe Boot protections on weak methods.
Not like its predecessors, HybridPetya demonstrates vital technical development by focusing on fashionable UEFI-based methods.
The malware installs a malicious EFI software immediately onto the EFI System Partition, giving it unprecedented management over the boot course of.
This system permits the ransomware to function at a decrease stage than conventional malware, making it extraordinarily troublesome to detect and take away utilizing typical safety instruments.
The malware’s most regarding characteristic is its exploitation of CVE-2024-7344, a essential UEFI Safe Boot bypass vulnerability that ESET Analysis beforehand disclosed in early 2025.
By leveraging a specifically crafted cloak.dat file, HybridPetya can circumvent Safe Boot protections on outdated methods that haven’t acquired Microsoft’s January 2025 safety updates.
Safety specialists notice that HybridPetya represents not less than the fourth publicly recognized instance of UEFI bootkit malware with Safe Boot bypass performance, becoming a member of BlackLotus, BootKitty, and the Hyper-V Backdoor proof-of-concept.
This bypass functionality makes the malware significantly harmful for organizations operating legacy methods or these with delayed patch administration cycles.
Technical Evaluation and Assault Methodology
HybridPetya employs the identical damaging encryption methodology as its predecessors, focusing on the Grasp File Desk (MFT) on NTFS-formatted partitions.
The MFT accommodates essential metadata about all recordsdata on the system, and its encryption successfully renders all the system unusable till the ransom is paid.
The malware makes use of the Salsa20 encryption algorithm with a 32-byte key and 8-byte nonce, displaying a faux CHKDSK message in the course of the encryption course of to deceive victims into believing their system is present process routine upkeep.
The ransomware samples had been first uploaded to VirusTotal in February 2025 from Poland, utilizing filenames comparable to “notpetyanew.exe” that clearly point out their connection to the unique NotPetya marketing campaign.
Nevertheless, not like the purely damaging NotPetya malware that triggered over $10 billion in damages in the course of the 2017 assaults, HybridPetya seems to perform as legit ransomware, with operators able to offering decryption keys upon fee.
ESET telemetry signifies that HybridPetya isn’t at the moment being utilized in lively campaigns, suggesting it could nonetheless be in improvement or proof-of-concept phases.
The malware lacks the aggressive community propagation capabilities that made NotPetya so devastating, probably limiting its unfold.
Nevertheless, safety researchers warn that the technical sophistication demonstrated in these samples makes HybridPetya a major risk for future monitoring.
The ransomware shows ransom notes just like the unique NotPetya, demanding fee in Bitcoin to addresses managed by the operators.
The ransom quantity and particular fee directions differ from the unique NotPetya campaigns, indicating that is the work of various risk actors.
This development demonstrates that UEFI Safe Boot bypasses have gotten more and more widespread and enticing to each safety researchers and malicious actors.
Organizations can shield themselves by guaranteeing their methods have acquired Microsoft’s January 2025 safety updates, which tackle the CVE-2024-7344 vulnerability.
Common safety assessments, endpoint safety options, and sustaining present patch ranges stay important defenses towards this rising risk class.
Discover this Story Attention-grabbing! Observe us on LinkedIn and X to Get Extra On the spot Updates.
