A newly identified ransomware strain named HybridPetya can bypass UEFI Secure Boot and install a malicious bootkit on the EFI System Partition, researchers say. The sample, found on VirusTotal and analyzed by ESET, combines technical traits from the destructive Petya/NotPetya family with a new Secure Boot bypass that uses the CVE-2024-7344 vulnerability.
Discovery and Context of the Sample
ESET researchers located the HybridPetya sample on VirusTotal and cautioned it may be a proof of concept, a research project, or an early-stage criminal tool under limited testing. The finding joins a string of recent UEFI bootkit projects — including BlackLotus, BootKitty and the Hyper-V Backdoor — that demonstrate how boot-level malware can evade platform protections. ESET reported the underlying Secure Boot weakness in January 2025 as CVE-2024-7344, a flaw involving Microsoft-signed applications that could be abused to deploy bootkits even when Secure Boot is enabled. Microsoft addressed CVE-2024-7344 in the January 2025 Patch Tuesday release, the vendor confirmed.
Installation Logic and Files Dropped to the EFI Partition
Upon execution, HybridPetya checks whether the host uses UEFI with GPT partitioning and proceeds to drop a bootkit into the EFI System Partition. The malware creates a set of files under the Windows boot path and modifies bootloader components so the malicious code runs at startup. Variants analyzed by ESET include files placed under \EFI\Microsoft\Boot\, such as:
config— holds an encryption flag, the Salsa20 key, nonce, and a victim identifierverify— used to validate successful decryption keyscounter— tracks progress of encrypted clustersbootmgfw.efi.old— backup of the original Windows bootloadercloak.dat— contains an XORed bootkit payload used in the Secure Boot bypass variant
To enable execution, HybridPetya replaces \EFI\Microsoft\Boot\bootmgfw.efi with a vulnerable reloader.efi binary and removes \EFI\Boot\bootx64.efi. The original bootloader is retained as a backup file to support recovery if the attacker later provides a decryption key.
Attack Chain, Fake Errors and Encryption Actions
After installation HybridPetya triggers a blue screen of death (BSOD) with a bogus error message and forces a reboot. On restart the malicious bootkit executes before Windows loads. The bootkit encrypts Master File Table (MFT) clusters using a Salsa20 stream cipher with the key and nonce retrieved from the config file. During the process the victim sees a fake CHKDSK screen, echoing the deception used by NotPetya. When encryption completes, the system reboots again and displays a ransom note at boot.
Ransom Note and Claimed Recovery Mechanism
The on-boot ransom demand requests a Bitcoin payment of $1,000. The attackers state that, after payment, the victim will receive a 32-character key to enter on the ransom screen. Entering that key is claimed to restore the original bootloader, decrypt the affected clusters and allow the machine to restart normally. ESET’s analysis notes the presence of the original bootloader backup specifically to enable this described recovery flow.
Current Observations, Potential for Weaponization and Defenses Reported
HybridPetya has not been observed in confirmed active attacks in the wild; ESET and other analysts treat the sample as an indicator of evolving capability rather than proven campaign activity. Researchers warned that proof-of-concept code like this could be weaponized and reused by threat actors to target unpatched Windows endpoints.
Indicators of compromise and technical artefacts tied to the analyzed samples have been published to help defenders; ESET and other labs referenced a public repository of IOCs on GitHub. Microsoft’s January 2025 security update that patches CVE-2024-7344 protects systems where applied. Published advisories accompanying the analysis also highlighted routine resilience measures cited in past ransomware incidents, including maintaining reliable offline backups and ensuring timely application of vendor security updates.
