CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

HybridPetya ransomware, which can bypass UEFI Secure Boot via CVE-2024-7344, has been discovered. The ransomware resembles Petya/NotPetya and exploits a flaw in the Howyar Reloader UEFI application to deploy a malicious EFI application. It encrypts the Master File Table (MFT) on NTFS-formatted partitions and includes a bootkit and installer. The ransomware was first uploaded to VirusTotal in February 2025 and has received payments totaling $183.32. HybridPetya incorporates characteristics from both Petya and NotPetya, using a bootkit with three states: ready for encryption, already encrypted, and decrypted after ransom payment. It uses the Salsa20 encryption algorithm and creates a counter file to track encrypted disk clusters. The ransom note demands $1,000 in Bitcoin, and the decryption process involves recovering legitimate bootloaders. The ransomware exploits a flaw in Microsoft-signed applications to bypass Secure Boot and deploy bootkits. It replaces the original Windows bootloader and removes the default bootloader file. The ransomware triggers a BSOD and forces a system reboot to execute the malicious bootkit, displaying a fake CHKDSK message during encryption. Upon completion, it demands a Bitcoin payment and provides a 32-character key for decryption and system restoration. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday, protecting updated Windows systems from HybridPetya. Offline backups are recommended as a solid practice against ransomware.

Timeline

  1. 12.09.2025 14:50 2 articles · 20d ago

    HybridPetya Ransomware Discovered

    The ransomware incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain of these older malware strains. The flaw in Microsoft-signed applications can be exploited to deploy bootkits even with Secure Boot protection active on the target. HybridPetya uses several files to track encryption progress and validate the decryption key. The ransomware replaces the original Windows bootloader with a vulnerable version and removes the default bootloader file. The ransomware triggers a BSOD and forces a system reboot to execute the malicious bootkit, displaying a fake CHKDSK message during encryption. Upon completion, it demands a Bitcoin payment and provides a 32-character key for decryption and system restoration. The ransomware has not been observed in real attacks but similar projects may weaponize the PoC. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday, protecting updated Windows systems from HybridPetya. Offline backups are recommended as a solid practice against ransomware.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

HybridPetya Ransomware Capable of UEFI Secure Boot Bypass Discovered

A new variant of the Petya/NotPetya ransomware, dubbed HybridPetya, has been identified. This malware can bypass UEFI Secure Boot, allowing it to install a malicious application at the firmware level. This capability enables it to evade detection by antivirus software and survive operating system reinstalls. Samples of HybridPetya were uploaded to VirusTotal in February 2025, but there is no evidence of it being deployed in the wild. HybridPetya combines the destructive capabilities of NotPetya and the recoverable encryption functionality of Petya. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). Some samples can exploit CVE-2024-7344, a vulnerability in the Howyar Reloader UEFI application, to bypass Secure Boot. HybridPetya is the fourth known example of malware that can bypass UEFI Secure Boot, highlighting the growing threat from UEFI bootkits that reside at the computer's startup sequence level. The discovery of HybridPetya highlights the ongoing evolution of ransomware and the need for enhanced security measures to protect against such advanced threats.

Open in new tab

Gentlemen Ransomware Exploits Vulnerable Driver to Disable Security Software

The Gentlemen ransomware gang is using a vulnerable driver to disable security software in enterprise environments. The group employs a bring-your-own-vulnerable-driver (BYOVD) attack to terminate antivirus and extended detection and response (EDR) processes. The ransomware exploits CVE-2025-7771, a high-severity vulnerability in the ThrottleStop driver. The gang has demonstrated advanced capabilities, including tailored bypasses for specific security vendors. The attacks have been observed since this summer, with the group adapting its tactics mid-campaign. The use of legitimate, signed drivers complicates detection and defense. The ransomware was first observed this summer. The Gentlemens have been exploiting vulnerable, Internet-facing infrastructure and VPNs in their attacks. The group uses PowerRun.exe and Allpatch2.exe to escalate privileges and disable security products. Organizations are advised to implement zero-trust controls and monitor for unusual process combinations to defend against these attacks.

Open in new tab

SectopRAT and Betruger Malware Linked to Play, RansomHub, and DragonForce Ransomware Operations

A September 2024 intrusion involved SectopRAT and Betruger malware, linked to Play, RansomHub, and DragonForce ransomware operations. The attack began with a malicious EarthTime executable, leading to extensive reconnaissance, credential theft, and data exfiltration. The threat actor used multiple tools and techniques to evade detection and prepare for ransomware deployment. The attack started with a malicious file disguised as DeskSoft’s EarthTime application, deploying SectopRAT malware. The threat actor established persistence, created an admin account, and used various tools for reconnaissance and credential theft. They deployed SystemBC, Betruger, and other tools to facilitate their operations. The final goal was ransomware deployment, but no encryption occurred; data was archived and exfiltrated via FTP. The threat actor used multiple defense evasion techniques, including process injection, timestomping, and disabling security features. The tools used in the attack link the threat actor to Play, RansomHub, and DragonForce ransomware operations.

Open in new tab

Emergence of AI-Powered Ransomware Strain PromptLock

A new AI-powered ransomware strain, named PromptLock, has been identified by ESET researchers. The ransomware leverages an AI model to generate Lua scripts on the fly, complicating detection and defense. PromptLock is not yet active in the wild but is nearly ready for deployment. It can exfiltrate files and encrypt data, with plans to add file destruction capabilities. The ransomware was uploaded to VirusTotal from the United States and is written in Go, targeting both Windows, Linux, and macOS systems. The Bitcoin address used for ransom payments is linked to Satoshi Nakamoto. The development of AI-driven ransomware presents new challenges for cybersecurity defenders. The ransomware strain was discovered by Anton Cherepanov and Peter Strycek, who shared their findings on social media 18 hours after detecting samples on VirusTotal. The use of AI in ransomware introduces variability in indicators of compromise (IoCs), making detection more difficult. PromptLock uses the SPECK 128-bit encryption algorithm to lock files and can generate custom notes based on the files affected and the type of infected machine. The attacker can establish a proxy or tunnel from the compromised network to a server running the Ollama API with the gpt-oss-20b model.

Open in new tab

UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages

The FileFix social engineering attack, a variant of the ClickFix family, impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The campaign has evolved over two weeks with different payloads, domains, and lures, indicating an attacker testing and adapting their infrastructure. The FileFix technique, created by red team researcher mr. d0x, uses the address bar in File Explorer to execute malicious commands. The campaign employs steganography to hide a second-stage PowerShell script and encrypted executables inside a JPG image, which is believed to be AI-generated. The StealC malware targets credentials from various applications, cryptocurrency wallets, and cloud services, and can take screenshots of the active desktop. The FileFix attack uses a multilingual phishing site to trick users into executing a malicious command via the File Explorer address bar. The attack leverages Bitbucket to host the malicious components, abusing a legitimate source code hosting platform to bypass detection. The attack involves a multi-stage PowerShell script that downloads an image, decodes it into the next-stage payload, and runs a Go-based loader to launch StealC. The attack uses advanced obfuscation techniques, including junk code and fragmentation, to hinder analysis efforts. The FileFix attack is more likely to be detected by security products due to the payload being executed by the web browser used by the victim. The FileFix attack demonstrates significant investment in tradecraft, with carefully engineered phishing infrastructure, payload delivery, and supporting elements to maximize evasion and impact. The MetaStealer attack, a variant of the ClickFix family, uses a fake Cloudflare Turnstile lure and an MSI package disguised as a PDF to deploy the MetaStealer infostealer malware. The attack involves a multi-stage infection chain that includes a DLL sideloading technique using a legitimate SentinelOne executable. The MetaStealer attack targets crypto wallets and other sensitive information, using a combination of social engineering and technical evasion techniques to deploy malware. Previously, threat actors tracked as UNC5518 leveraged a social engineering tactic called ClickFix to deploy the CORNFLAKE.V3 backdoor. The campaign used fake CAPTCHA pages to trick users into executing malicious PowerShell scripts, providing initial access to systems. This access was then monetized by other threat groups, including UNC5774 and UNC4108, which deployed additional payloads. The attack began with users interacting with compromised search results or malicious ads, leading them to fake CAPTCHA pages. Users were then tricked into running a malicious PowerShell command, which downloaded and executed the CORNFLAKE.V3 backdoor. This backdoor supported various payload types and could collect system information, which was transmitted via Cloudflare tunnels to evade detection. CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, featuring host persistence and additional payload support. The campaign also involved the deployment of WINDYTWIST.SEA, a backdoor that supports lateral movement within infected networks.

Open in new tab