The Gaming Boardroom

Where the gambling industry comes to think

‘HybridPetya’ Ransomware Bypasses Secure Boot

Steve Tyler Free Content

‘HybridPetya’ Ransomware Bypasses Secure Boot

Summary

Researchers at ESET have identified a new malware strain named “HybridPetya” that blends features of Petya ransomware and the destructive NotPetya wiper, while adding the capability to bypass UEFI Secure Boot. The malware can write malicious UEFI payloads to the EFI System Partition and encrypt the NTFS Master File Table (MFT), making files inaccessible.

Some samples include an exploit for CVE-2024-7344 (Howyar Reloader), which allows unsigned code to be loaded during boot and defeats Secure Boot protections. ESET found samples on VirusTotal but has not observed confirmed real-world deployments yet. HybridPetya’s firmware-level persistence makes detection and remediation difficult, since it can survive OS reinstalls and drive wipes.

Key Points

  • HybridPetya mixes NotPetya-style destructive behaviour with Petya-like recoverable encryption of the MFT.
  • Targets UEFI-based systems by installing malicious code into the EFI System Partition for persistence.
  • Certain variants exploit CVE-2024-7344 (Howyar Reloader) to bypass Secure Boot and load unsigned boot code.
  • ESET located samples on VirusTotal but reports no confirmed active deployment in the wild to date.
  • Firmware/UEFI compromises are hard to detect and remove; organisations must treat UEFI like any other software asset.

Why should I read this?

Short and blunt: this one’s clever and nasty. If you look after endpoints or servers, read this so you’re not surprised when malware starts surviving reinstalls. It’s a timely reminder to patch firmware, audit UEFI components, and check boot-time logs — before someone else tests your recovery plan for you.

Context and Relevance

HybridPetya adds to a growing set of UEFI bootkits (BlackLotus, Bootkitty and others) that operate below the operating system, undermining traditional defences. Because these threats persist through OS-level clean-ups, the risk to organisations is magnified: maintainable firmware, strict Secure Boot policies, inventorying of UEFI components, and offline backups are now essential controls. Agencies such as CISA have urged firmware auditing and continuous monitoring of UEFI activity — this development reinforces that guidance.

Source

Source: https://www.darkreading.com/vulnerabilities-threats/hybridpetya-ransomware-bypasses-secure-boot