CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

A new ransomware strain, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware and can bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and installs a malicious EFI application on the EFI System Partition. The ransomware has two main components: a bootkit and an installer. The bootkit handles encryption and decryption processes, displaying fake CHKDSK messages to deceive victims. The ransom note demands $1,000 in Bitcoin, with a wallet receiving $183.32 between February and May 2025. HybridPetya exploits a remote code execution vulnerability in the Howyar Reloader UEFI application, allowing it to bypass Secure Boot. The variant uses a specially crafted file named 'cloak.dat' to load the bootkit binary. Microsoft revoked the vulnerable binary in January 2025. ESET's telemetry data indicates no evidence of HybridPetya being used in the wild, suggesting it may be a proof-of-concept (PoC). The ransomware incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain. It drops several files into the EFI System Partition, including configuration, validation, and encryption progress tracking files. The ransom note provides a 32-character key for decryption and system restoration upon payment. Indicators of compromise for HybridPetya are available on a GitHub repository. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday updates.

Timeline

  1. 12.09.2025 14:50 πŸ“° 2 articles Β· ⏱ 1d ago

    HybridPetya Ransomware Samples Uploaded to VirusTotal in February 2025

    Cybersecurity researchers discovered samples of HybridPetya uploaded to VirusTotal in February 2025. The ransomware strain resembles Petya/NotPetya and can bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. It encrypts the Master File Table (MFT) on NTFS-formatted partitions and installs a malicious EFI application. The ransomware uses a bootkit and an installer to manage encryption and decryption processes, displaying fake CHKDSK messages to deceive victims. The ransom note demands $1,000 in Bitcoin, with a wallet receiving $183.32 between February and May 2025. HybridPetya exploits a remote code execution vulnerability in the Howyar Reloader UEFI application, allowing it to bypass Secure Boot. The variant uses a specially crafted file named 'cloak.dat' to load the bootkit binary. Microsoft revoked the vulnerable binary in January 2025. ESET's telemetry data indicates no evidence of HybridPetya being used in the wild, suggesting it may be a proof-of-concept (PoC).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CVE-2025-5086 in DELMIA Apriso Exploited in the Wild

A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is being actively exploited. The flaw, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. The vulnerability allows for remote code execution, and exploitation attempts have been observed originating from an IP address in Mexico. The attacks involve sending a malicious HTTP request with a Base64-encoded payload. The payload decodes to a Windows executable identified as "Trojan.MSIL.Zapchast.gen," a spyware capable of capturing user activities and sending collected information to attackers. DELMIA Apriso is used in production processes for digitalizing and monitoring, including scheduling production, quality management, resource allocation, warehouse management, and integration between production equipment and business applications. The flaw impacts critical industries such as automotive, aerospace, electronics, high-tech, and industrial machinery. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog and is advising federal agencies to apply necessary updates by October 2, 2025.

Open in new tab

The Gentlemen Ransomware Gang Exploits Vulnerable Driver to Disable Security Tools

The Gentlemen ransomware gang has been observed using a vulnerable driver to disable security products in targeted networks. The group employs a bring-your-own-vulnerable-driver (BYOVD) attack to exploit a high-severity vulnerability in the ThrottleStop driver, allowing them to terminate antivirus and extended detection and response (EDR) processes. The group has demonstrated advanced capabilities and adaptability, posing a significant threat to enterprise environments. The gang uses ThrottleBlood.sys, a renamed version of the legitimate ThrottleStop.sys driver, to exploit CVE-2025-7771. This vulnerability allows the ransomware to gain kernel-level access, disabling security measures and facilitating file encryption. The Gentlemen have also been observed using customized tools and in-depth reconnaissance to tailor their attacks to specific security solutions.

Open in new tab

EvilAI Malware Campaign Targets Global Organizations with AI-Enhanced Stealth Tactics

A threat actor is using AI-enhanced malware to infiltrate organizations worldwide. The campaign, dubbed EvilAI, has infected hundreds of victims across multiple sectors, including manufacturing, government, and healthcare. The malware is concealed within seemingly legitimate productivity and AI-enhanced apps, leveraging digital signatures and realistic features to avoid detection. The malware performs extensive reconnaissance and attempts to disable security products, setting the stage for future attacks. The malware is distributed through malicious advertisements and promoted links on search engines and social media. Once installed, it remains persistent on compromised systems and uses obfuscation techniques to evade detection. The campaign is ongoing and evolving, with new apps and tactics being deployed rapidly.

Open in new tab

Evolved Vidar Infostealer Campaigns Target Windows Environments

The Vidar infostealer, first tracked in late 2018, has evolved with new obfuscation techniques and enhanced stealth capabilities. This malware-as-a-service targets Windows environments, stealing credentials, financial data, and other sensitive information. It spreads through social engineering, malicious websites, and malvertising campaigns. The latest iteration uses encrypted command-and-control (C2) channels, Living-off-the-Land Binaries (LOLBins), and covert exfiltration methods to evade detection. The malware employs PowerShell scripts for stealthy payload retrieval, disguises traffic as legitimate PowerShell activity, and uses exponential backoff with jitter to avoid detection. It also attempts to bypass Windows Defender and Antimalware Scan Interface (AMSI) to maintain persistence and evade defenses. The C2 server used for data exfiltration is TLS-encrypted.

Open in new tab

Senator Wyden calls for FTC probe into Microsoft's role in ransomware attacks on U.S. critical infrastructure

U.S. Senator Ron Wyden has urged the Federal Trade Commission (FTC) to investigate Microsoft for alleged cybersecurity negligence that facilitated ransomware attacks on U.S. critical infrastructure, including healthcare networks. Wyden's call follows a ransomware attack on Ascension, a healthcare system, which resulted in the theft of personal and medical information of nearly 5.6 million individuals. The attack, attributed to the Black Basta ransomware group, exploited insecure default settings in Microsoft software and the RC4 encryption algorithm. The breach occurred when a contractor clicked on a malicious link in Microsoft's Bing search engine, leading to malware infection and subsequent elevated access to Ascension's network. Wyden's office highlighted Microsoft's continued support for RC4, an outdated and insecure encryption technology, as a significant vulnerability. Microsoft has acknowledged the issues and plans to deprecate RC4 support in future updates to Windows 11 and Windows Server 2025. The company also outlined mitigations to protect against Kerberoasting attacks, which target the Kerberos authentication protocol. Wyden's office urged Microsoft to warn customers about the dangers of using RC4 instead of AES 128/256, and Microsoft responded with a technical blog post in October 2024, which was criticized for not clearly conveying the warning to decision-makers. Microsoft is actively working to gradually remove RC4 and is providing advice for using the algorithm in the safest ways possible.

Open in new tab