CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

HybridPetya Ransomware Capable of UEFI Secure Boot Bypass Discovered

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A new variant of the Petya/NotPetya ransomware, dubbed HybridPetya, has been identified. This malware can bypass UEFI Secure Boot, allowing it to install a malicious application at the firmware level. This capability enables it to evade detection by antivirus software and survive operating system reinstalls. Samples of HybridPetya were uploaded to VirusTotal in February 2025, but there is no evidence of it being deployed in the wild. HybridPetya combines the destructive capabilities of NotPetya and the recoverable encryption functionality of Petya. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). Some samples can exploit CVE-2024-7344, a vulnerability in the Howyar Reloader UEFI application, to bypass Secure Boot. HybridPetya is the fourth known example of malware that can bypass UEFI Secure Boot, highlighting the growing threat from UEFI bootkits that reside at the computer's startup sequence level. The discovery of HybridPetya highlights the ongoing evolution of ransomware and the need for enhanced security measures to protect against such advanced threats.

Timeline

  1. 15.09.2025 14:22 2 articles · 14d ago

    HybridPetya Ransomware Capable of UEFI Secure Boot Bypass Discovered

    HybridPetya combines the destructive capabilities of NotPetya and the recoverable encryption functionality of Petya. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). Some samples can exploit CVE-2024-7344, a vulnerability in the Howyar Reloader UEFI application, to bypass Secure Boot. HybridPetya is the fourth known example of malware that can bypass UEFI Secure Boot, highlighting the growing threat from UEFI bootkits that reside at the computer's startup sequence level.

    Show sources

Information Snippets

Similar Happenings

SonicWall MySonicWall Breach Exposes Firewall Configuration Files

SonicWall has released a firmware update to remove rootkit malware from SMA 100 series devices, following a breach that exposed firewall configuration backup files. The breach, caused by brute-force attacks, affected less than 5% of customers and may have exposed sensitive information. SonicWall has advised customers to reset credentials and update secrets. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. There is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. In September 2025, SonicWall disclosed a security breach affecting MySonicWall accounts, resulting in the exposure of firewall configuration backup files for less than 5% of its customers. The breach, caused by a series of brute-force attacks, could facilitate easier exploitation of SonicWall firewalls by threat actors. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with cybersecurity and law enforcement agencies. The exposed files may contain sensitive information, such as credentials and tokens, for services running on SonicWall devices. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. SonicWall confirmed that attackers accessed the API service for cloud backup and there is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance.

Chinese Malware Campaigns Exploit SEO and GitHub Pages to Distribute HiddenGh0st, Winos, and kkRAT

Chinese-speaking users are targeted by a malware campaign using SEO poisoning and fake software sites to distribute HiddenGh0st, Winos, and kkRAT. The campaign manipulates search rankings and uses trojanized installers to deliver the malware. The attacks exploit vulnerabilities in popular software and use various techniques to evade detection and maintain persistence. The malware is designed to establish command-and-control communication, monitor user activity, and steal sensitive information. The campaign was discovered in August 2025 and involves multiple malware families, including HiddenGh0st and Winos, which are variants of Gh0st RAT. The attacks use fake software sites and GitHub Pages to distribute the malware, exploiting the trust associated with legitimate platforms. The malware employs sophisticated techniques to evade detection and maintain persistence, including anti-analysis checks and TypeLib COM hijacking.

HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344

HybridPetya ransomware, which can bypass UEFI Secure Boot via CVE-2024-7344, has been discovered. The ransomware resembles Petya/NotPetya and exploits a flaw in the Howyar Reloader UEFI application to deploy a malicious EFI application. It encrypts the Master File Table (MFT) on NTFS-formatted partitions and includes a bootkit and installer. The ransomware was first uploaded to VirusTotal in February 2025 and has received payments totaling $183.32. HybridPetya incorporates characteristics from both Petya and NotPetya, using a bootkit with three states: ready for encryption, already encrypted, and decrypted after ransom payment. It uses the Salsa20 encryption algorithm and creates a counter file to track encrypted disk clusters. The ransom note demands $1,000 in Bitcoin, and the decryption process involves recovering legitimate bootloaders. The ransomware exploits a flaw in Microsoft-signed applications to bypass Secure Boot and deploy bootkits. It replaces the original Windows bootloader and removes the default bootloader file. The ransomware triggers a BSOD and forces a system reboot to execute the malicious bootkit, displaying a fake CHKDSK message during encryption. Upon completion, it demands a Bitcoin payment and provides a 32-character key for decryption and system restoration. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday, protecting updated Windows systems from HybridPetya. Offline backups are recommended as a solid practice against ransomware.

Malware Persistence Techniques and Defense Strategies

Malware persistence techniques allow attackers to maintain access to compromised systems despite reboots or disruptions. These methods include altering configurations, injecting startup code, and hijacking legitimate processes. Defending against these techniques requires a multi-layered approach that includes detection, prevention, and incident response. Wazuh, an open-source security solution, offers several capabilities to defend against malware persistence techniques. These include File Integrity Monitoring (FIM), Security and Configuration Assessment (SCA), log data analysis, and vulnerability detection. The impact of malware persistence techniques includes extended dwell time, remediation evasion, data exfiltration, deployment of additional malware, and compromised regulatory compliance.