New HybridPetya Ransomware Strikes Before Boot

Cybersecurity researchers have recently uncovered a novel ransomware strain, HybridPetya, that blends characteristics of the infamous Petya/NotPetya malware with advanced firmware-level attack capabilities.

This new threat leverages a vulnerability in the Unified Extensible Firmware Interface (UEFI) to bypass Secure Boot, placing modern systems at risk of compromise before their operating systems even load.

Technical overview

Cybersecurity firm ESET reported that HybridPetya samples were first uploaded to VirusTotal. The ransomware encrypts the Master File Table (MFT) of NTFS partitions, rendering file systems inaccessible without the decryption key. Unlike its predecessors, HybridPetya installs a malicious EFI application on the EFI System Partition, allowing it to execute during system startup and evade conventional security tools.

The malware consists of two primary components:

• Installer: Deploys the payload and modifies bootloaders.
• Bootkit: Responsible for loading configuration data, initiating encryption, and displaying deceptive disk-check messages.

HybridPetya exploits CVE-2024-7344, a remote code execution vulnerability in the Howyar Reloader UEFI application. By abusing a renamed binary (bootmgfw.efi) and a crafted file (cloak.dat), HybridPetya loads unsigned code without integrity checks, effectively bypassing UEFI Secure Boot

Microsoft addressed this vulnerability in its January 2025 Patch Tuesday update, but unpatched systems remain vulnerable.

Encryption and decryption process

HybridPetya employs the Salsa20 algorithm to encrypt \EFI\Microsoft\Boot\verify and subsequently the entire MFT. 

A status flag controls three states:

1. Ready for encryption
2. Encrypted
3. Decrypted after ransom payment

Victims are presented with a fake CHKDSK screen while encryption proceeds silently. Upon payment of a $1,000 Bitcoin ransom, users can input a decryption key, which, if valid, triggers restoration of the original bootloaders and recovery of the encrypted data.

Comparison to prior bootkits

HybridPetya joins an emerging class of UEFI bootkits, including BlackLotus, BootKitty, and the Hyper-V Backdoor proof-of-concept. Unlike NotPetya, which acted as a destructive wiper, HybridPetya is designed for financial gain, supporting decryption upon payment. Researchers speculate it may still be in a proof-of-concept stage, as no confirmed in-the-wild attacks have been reported.

Implications for firmware security

Firmware-level attacks present a growing challenge for defenders. Because UEFI runs before an operating system, malware at this layer can execute with elevated privileges, evade endpoint protections, and persist through system reinstalls. Recent work, such as the Shade BIOS technique, highlights how attackers are increasingly targeting pre-OS environments to bypass security entirely.

Defensive recommendations

Security professionals recommend the following measures to mitigate HybridPetya’s risk:

• Apply Microsoft’s January 2025 patch and verify firmware updates via the Linux Vendor Firmware Service where applicable.
• Audit UEFI bootloaders for tampering and enforce strict Secure Boot policies.
• Monitor for unauthorized EFI applications or suspicious files (e.g., cloak.dat).
• Maintain offline backups and educate administrators about firmware threats. 

HybridPetya shows the evolution of ransomware into firmware domains, eroding the boundary between traditional malware and pre-OS exploits. 

Its ability to bypass Secure Boot, encrypt critical filesystem structures, and persist outside the operating system represents a significant escalation in ransomware tactics. Proactive patching, UEFI integrity audits, and strict firmware security policies are essential to defend against this new generation of threats.