ESET Analysis has uncovered a complicated new ransomware variant known as HybridPetya, found on the VirusTotal pattern sharing platform.
This malware represents a harmful evolution of the notorious Petya/NotPetya ransomware household, incorporating superior capabilities to compromise UEFI-based programs and exploit CVE-2024-7344 to bypass UEFI Safe Boot protections on weak programs.
Not like its predecessors, HybridPetya demonstrates important technical development by concentrating on fashionable UEFI-based programs.
The malware installs a malicious EFI utility straight onto the EFI System Partition, giving it unprecedented management over the boot course of.
This system permits the ransomware to function at a decrease stage than conventional malware, making it extraordinarily tough to detect and take away utilizing standard safety instruments.
The malware’s most regarding function is its exploitation of CVE-2024-7344, a essential UEFI Safe Boot bypass vulnerability that ESET Analysis beforehand disclosed in early 2025.
By leveraging a specifically crafted cloak.dat file, HybridPetya can circumvent Safe Boot protections on outdated programs that haven’t obtained Microsoft’s January 2025 safety updates.
Safety specialists word that HybridPetya represents a minimum of the fourth publicly recognized instance of UEFI bootkit malware with Safe Boot bypass performance, becoming a member of BlackLotus, BootKitty, and the Hyper-V Backdoor proof-of-concept.
This bypass functionality makes the malware notably harmful for organizations operating legacy programs or these with delayed patch administration cycles.
Technical Evaluation and Assault Methodology
HybridPetya employs the identical harmful encryption methodology as its predecessors, concentrating on the Grasp File Desk (MFT) on NTFS-formatted partitions.
The MFT accommodates essential metadata about all information on the system, and its encryption successfully renders your complete system unusable till the ransom is paid.
The malware makes use of the Salsa20 encryption algorithm with a 32-byte key and 8-byte nonce, displaying a faux CHKDSK message throughout the encryption course of to deceive victims into believing their system is present process routine upkeep.
The ransomware samples have been first uploaded to VirusTotal in February 2025 from Poland, utilizing filenames corresponding to “notpetyanew.exe” that clearly point out their connection to the unique NotPetya marketing campaign.
Nonetheless, not like the purely harmful NotPetya malware that precipitated over $10 billion in damages throughout the 2017 assaults, HybridPetya seems to perform as legit ransomware, with operators able to offering decryption keys upon fee.
ESET telemetry signifies that HybridPetya isn’t at present being utilized in lively campaigns, suggesting it could nonetheless be in improvement or proof-of-concept levels.
The malware lacks the aggressive community propagation capabilities that made NotPetya so devastating, probably limiting its unfold.
Nonetheless, safety researchers warn that the technical sophistication demonstrated in these samples makes HybridPetya a big menace for future monitoring.
The ransomware shows ransom notes much like the unique NotPetya, demanding fee in Bitcoin to addresses managed by the operators.
The ransom quantity and particular fee directions differ from the unique NotPetya campaigns, indicating that is the work of various menace actors.
This development demonstrates that UEFI Safe Boot bypasses have gotten more and more widespread and enticing to each safety researchers and malicious actors.
Organizations can defend themselves by guaranteeing their programs have obtained Microsoft’s January 2025 safety updates, which deal with the CVE-2024-7344 vulnerability.
Common safety assessments, endpoint safety options, and sustaining present patch ranges stay important defenses towards this rising menace class.
Discover this Story Fascinating! Comply with us on LinkedIn and X to Get Extra Instantaneous Updates.
