New HybridPetya Ransomware Exploits UEFI Secure Boot Bypass Vulnerability
Summary
Hide β²
Show βΌ
A new ransomware variant, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware but includes the ability to bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and can compromise modern UEFI-based systems. The ransomware operates through a bootkit and an installer, with the bootkit managing encryption and decryption processes. The ransomware has been observed in samples uploaded to VirusTotal in February 2025, with no evidence of active use in the wild. The vulnerability exploited by HybridPetya was patched in January 2025. The ransomware encrypts the MFT and displays a fake CHKDSK message to deceive victims. It demands a $1,000 ransom in Bitcoin, with a total of $183.32 received between February and May 2025. The ransom note provides an option for victims to enter a decryption key after payment, which triggers the decryption process. The bootkit also recovers legitimate bootloaders from backups created during installation. The ransomware triggers a system crash during bootloader changes, ensuring the bootkit binary is executed upon reboot. HybridPetya may be a research project, proof-of-concept, or early version of a cybercrime tool under limited testing. HybridPetya combines the destructive capabilities of NotPetya, the recoverable encryption functionality of Petya ransomware, and the ability to bypass Secure Boot protections. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). HybridPetya's ability to install harmful code directly into a computer's UEFI firmware makes it hard for security teams to detect. The emergence of HybridPetya highlights the growing threat from UEFI bootkits that reside at a computer's startup sequence level.
Timeline
-
12.09.2025 14:50 π° 3 articles Β· β± 5d ago
HybridPetya Ransomware Samples Uploaded to VirusTotal
Researchers have discovered that HybridPetya combines the destructive capabilities of NotPetya, the recoverable encryption functionality of Petya ransomware, and the ability to bypass Secure Boot protections. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). HybridPetya's ability to install harmful code directly into a computer's UEFI firmware makes it hard for security teams to detect. The ransomware's ability to persist on a system even if the operating system is reinstalled or the hard drive is wiped. HybridPetya mirrors NotPetyaβs ability to cause significant system disruption but also allows operators to reconstruct the victim's decryption key and recover their data. The article also highlights the growing threat from UEFI bootkits that reside at a computer's startup sequence level, mentioning at least three other publicly known examples of similar malware: BlackLotus, Bootkitty, and Hyper-V Backdoor.
Show sources
- New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit β thehackernews.com β 12.09.2025 14:50
- New HybridPetya ransomware can bypass UEFI Secure Boot β www.bleepingcomputer.com β 12.09.2025 20:18
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
Information Snippets
-
HybridPetya is a new ransomware variant that resembles Petya/NotPetya but includes UEFI Secure Boot bypass capabilities.
First reported: 12.09.2025 14:50π° 3 sources, 3 articlesShow sources
- New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit β thehackernews.com β 12.09.2025 14:50
- New HybridPetya ransomware can bypass UEFI Secure Boot β www.bleepingcomputer.com β 12.09.2025 20:18
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
The ransomware exploits CVE-2024-7344, a remote code execution vulnerability in the Howyar Reloader UEFI application.
First reported: 12.09.2025 14:50π° 3 sources, 3 articlesShow sources
- New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit β thehackernews.com β 12.09.2025 14:50
- New HybridPetya ransomware can bypass UEFI Secure Boot β www.bleepingcomputer.com β 12.09.2025 20:18
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions.
First reported: 12.09.2025 14:50π° 3 sources, 3 articlesShow sources
- New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit β thehackernews.com β 12.09.2025 14:50
- New HybridPetya ransomware can bypass UEFI Secure Boot β www.bleepingcomputer.com β 12.09.2025 20:18
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
The ransomware operates through a bootkit and an installer, with the bootkit managing encryption and decryption processes.
First reported: 12.09.2025 14:50π° 3 sources, 3 articlesShow sources
- New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit β thehackernews.com β 12.09.2025 14:50
- New HybridPetya ransomware can bypass UEFI Secure Boot β www.bleepingcomputer.com β 12.09.2025 20:18
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
The ransomware displays a fake CHKDSK message to deceive victims into thinking the system is repairing disk errors.
First reported: 12.09.2025 14:50π° 3 sources, 3 articlesShow sources
- New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit β thehackernews.com β 12.09.2025 14:50
- New HybridPetya ransomware can bypass UEFI Secure Boot β www.bleepingcomputer.com β 12.09.2025 20:18
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
HybridPetya demands a $1,000 ransom in Bitcoin, with a total of $183.32 received between February and May 2025.
First reported: 12.09.2025 14:50π° 2 sources, 2 articlesShow sources
- New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit β thehackernews.com β 12.09.2025 14:50
- New HybridPetya ransomware can bypass UEFI Secure Boot β www.bleepingcomputer.com β 12.09.2025 20:18
-
The ransomware triggers a system crash during bootloader changes, ensuring the bootkit binary is executed upon reboot.
First reported: 12.09.2025 14:50π° 3 sources, 3 articlesShow sources
- New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit β thehackernews.com β 12.09.2025 14:50
- New HybridPetya ransomware can bypass UEFI Secure Boot β www.bleepingcomputer.com β 12.09.2025 20:18
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
The vulnerability exploited by HybridPetya was patched in January 2025.
First reported: 12.09.2025 14:50π° 3 sources, 3 articlesShow sources
- New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit β thehackernews.com β 12.09.2025 14:50
- New HybridPetya ransomware can bypass UEFI Secure Boot β www.bleepingcomputer.com β 12.09.2025 20:18
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
HybridPetya may be a research project, proof-of-concept, or early version of a cybercrime tool under limited testing.
First reported: 12.09.2025 20:18π° 2 sources, 2 articlesShow sources
- New HybridPetya ransomware can bypass UEFI Secure Boot β www.bleepingcomputer.com β 12.09.2025 20:18
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
HybridPetya's bootkit includes configuration, validation, bootloader, exploit payload, and progress tracking files.
First reported: 12.09.2025 20:18π° 2 sources, 2 articlesShow sources
- New HybridPetya ransomware can bypass UEFI Secure Boot β www.bleepingcomputer.com β 12.09.2025 20:18
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
The ransomware replaces specific bootloader files and saves the original for potential restoration.
First reported: 12.09.2025 20:18π° 2 sources, 2 articlesShow sources
- New HybridPetya ransomware can bypass UEFI Secure Boot β www.bleepingcomputer.com β 12.09.2025 20:18
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
HybridPetya encrypts MFT clusters using a Salsa20 key and nonce, displaying a fake CHKDSK message.
First reported: 12.09.2025 20:18π° 1 source, 1 articleShow sources
- New HybridPetya ransomware can bypass UEFI Secure Boot β www.bleepingcomputer.com β 12.09.2025 20:18
-
Indicators of compromise for HybridPetya are available on GitHub to aid in defense.
First reported: 12.09.2025 20:18π° 1 source, 1 articleShow sources
- New HybridPetya ransomware can bypass UEFI Secure Boot β www.bleepingcomputer.com β 12.09.2025 20:18
-
HybridPetya combines the destructive capabilities of NotPetya, the recoverable encryption functionality of Petya ransomware, and the ability to bypass Secure Boot protections.
First reported: 15.09.2025 23:59π° 1 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
HybridPetya can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT).
First reported: 15.09.2025 23:59π° 1 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
HybridPetya's ability to install harmful code directly into a computer's UEFI firmware makes it hard for security teams to detect.
First reported: 15.09.2025 23:59π° 1 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
HybridPetya's ability to persist on a system even if the operating system is reinstalled or the hard drive is wiped.
First reported: 15.09.2025 23:59π° 1 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
HybridPetya mirrors NotPetyaβs ability to cause significant system disruption but also allows operators to reconstruct the victim's decryption key and recover their data.
First reported: 15.09.2025 23:59π° 1 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
HybridPetya's filenames and some operational behaviors are reminiscent of NotPetya.
First reported: 15.09.2025 23:59π° 1 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
The emergence of HybridPetya highlights the growing threat from UEFI bootkits that reside at a computer's startup sequence level.
First reported: 15.09.2025 23:59π° 1 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
-
There are at least three other publicly known examples of similar malware: BlackLotus, Bootkitty, and Hyper-V Backdoor.
First reported: 15.09.2025 23:59π° 1 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot β www.darkreading.com β 15.09.2025 23:59
Similar Happenings
SEO Poisoning Campaign Targets Chinese Users with HiddenGh0st, Winos, and kkRAT
A sophisticated SEO poisoning campaign targets Chinese-speaking users with malware, including HiddenGh0st, Winos, and kkRAT. The attackers manipulate search rankings to distribute trojanized installers for popular software, leading to the deployment of remote access trojans (RATs). The malware employs various techniques to evade detection and achieve persistence, including anti-analysis checks, DLL side-loading, and TypeLib COM hijacking. The campaign aims to establish command-and-control communication, monitor user activity, and steal sensitive information. The attackers use fake software sites and GitHub Pages to distribute malware. The malware is designed to disable antivirus software and achieve persistence through scheduled tasks and registry modifications. The campaign has been active since at least May 2025 and involves multiple malware families, including kkRAT, which shares code similarities with Gh0st RAT and Big Bad Wolf.
Active exploitation of CVE-2025-5086 in DELMIA Apriso
CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.
Gentlemen Ransomware Exploits Vulnerable Driver to Disable Security Tools
The Gentlemen ransomware gang uses a vulnerable driver to evade detection and disable security products in enterprise environments. The group employs a bring-your-own-vulnerable-driver (BYOVD) attack, leveraging the ThrottleStop.sys driver to terminate antivirus and EDR processes. The ransomware has been observed since this summer and demonstrates advanced capabilities, including tailored bypasses for specific security vendors. The vulnerability (CVE-2025-7771) was discovered by Kaspersky researchers during a ransomware incident in Brazil. The Gentlemen ransomware uses ThrottleBlood.sys, a renamed version of the legitimate ThrottleStop.sys driver, to exploit the vulnerability and gain kernel-level access. The ransomware also employs All.exe and Allpatch2.exe, which are AV killers designed to terminate security software and disable protective services. The group has shifted from generic attacks to more customized and targeted approaches, adapting their tactics based on the security defenses of their targets. They use PowerRun.exe for privilege escalation and to bypass security products.
EvilAI Malware Campaign Targets Multiple Sectors Globally
A threat actor, tracked as EvilAI, is using AI-enhanced malware disguised as legitimate productivity and AI-enhanced apps to target organizations in various sectors worldwide. The malware is spread rapidly across multiple regions, including the US, India, the UK, Germany, France, and Brazil. The malware features realistic functionality and stealthy payload delivery, making it difficult to detect with traditional antivirus tools. The campaign uses digital signatures from newly registered entities to lend authenticity to the malicious apps. Once installed, the malware performs extensive reconnaissance, disables security products, and sets the stage for future exploit activities. The malware is likely being used by an initial access broker (IAB) to gain initial access and establish persistence.
Vidar Infostealer Campaigns Employ New Obfuscation Techniques
Vidar infostealer, active since 2018, has returned with enhanced stealth and persistence. This new campaign, identified by Aryaka, uses encrypted C2 channels, LOLBins, and covert exfiltration methods. Vidar spreads via phishing, malicious websites, and malvertising, targeting credentials, OS details, cookies, and financial data. The malware employs sophisticated evasion techniques, including PowerShell scripts, Windows Defender exceptions, and bypassing AMSI. It maintains persistence through scheduled tasks and hooks into the CryptProtectMemory API to access encrypted data. The C2 server uses TLS encryption for data exfiltration.