Secure Boot Falls for the Fourth Time. HybridPetya Bypasses the Main Protection of Modern PCs
The malware skillfully disguises itself as a disk check. By the time the user realizes they are infected, it's too late.
The malware skillfully disguises itself as a disk check. By the time the user realizes they are infected, it's too late.
Researchers from ESET have reported on the emergence of new ransomware named HybridPetya. It combines techniques from the well-known Petya and NotPetya, while also possessing the ability to bypass the Secure Boot mechanism in UEFI systems. To achieve this, the threat actors exploited vulnerability CVE-2024-7344, patched in January 2025, which allowed the execution of a fake EFI application without integrity verification.
Samples of the malicious code first appeared on VirusTotal in February 2025. Unlike previous modifications of Petya, this new version can inject its EFI component into the EFI System Partition and use it to encrypt the Master File Table (MFT), which stores meta-information about all data on NTFS partitions. Meanwhile, HybridPetya displays a fake disk check message to the user, hiding the process of locking the contents.
The malware's architecture consists of two main parts: an installer and a bootkit. The latter is responsible for reading the configuration and controlling the encryption status. A flag with three values is used in the system: "0" — ready for encryption, "1" — disk already encrypted, "2" — ransom paid, decryption procedure initiated. If the first mode is activated, the bootkit uses the Salsa20 algorithm to encrypt the file \EFI\Microsoft\Boot\verify and creates a service file named counter on the EFI partition to keep track of encrypted clusters. The locking of all NTFS partitions then begins.
Once the process is complete, the user is shown a ransom note demanding a transfer of 1000 dollars in Bitcoin to a specified wallet. From February to May 2025, only about 183 dollars were received at this address; it is now empty.
After payment, the victim receives a key that is supposed to unlock the verify file and change the flag to "2". To restore access, the bootkit reads the counter file, sequentially decrypts the clusters, and restores the original bootloaders bootx64.efi and bootmgfw.efi from backups. Upon completion of the procedure, a reboot of Windows is suggested.
A key feature of HybridPetya is that the changes to the bootloaders made by the installer during deployment cause a crash and a Blue Screen of Death (BSOD). This guarantees the launch of the malicious EFI module upon the next device startup. Some variants use an exploit for CVE-2024-7344 in the Howyar Reloader component (reloader.efi). This binary file, renamed to bootmgfw.efi, searches during boot for cloak.dat on the partition, which contains the encrypted bootkit, and loads it, completely ignoring integrity checks. This approach allows it to bypass Secure Boot protection. Microsoft revoked the vulnerable version of the binary in its January update.
According to ESET, no infections in the wild have been recorded yet, and the found specimens may represent a demonstration project. Researchers link the emergence of HybridPetya to a previously developed prototype of a UEFI version of Petya, published by independent researcher Alexandra Donets. Thus, the new find could be either a real threat or an experiment.
HybridPetya is already the fourth publicly known example of boot code capable of bypassing Secure Boot. Before it, similar capabilities were demonstrated by BlackLotus (exploiting CVE-2022-21894), BootKitty (a LogoFail attack), and Hyper-V Backdoor PoC (exploiting CVE-2020-26200). ESET emphasizes that such bypasses are becoming increasingly common and interesting for both researchers and attacking groups.
