HybridPetya Ransomware Capable of UEFI Secure Boot Bypass Discovered
Summary
Hide ▲
Show ▼
A new variant of the Petya/NotPetya ransomware, dubbed HybridPetya, has been identified. This malware can bypass UEFI Secure Boot, allowing it to install a malicious application at the firmware level. This capability enables it to evade detection by antivirus software and survive operating system reinstalls. Samples of HybridPetya were uploaded to VirusTotal in February 2025, but there is no evidence of it being deployed in the wild. HybridPetya combines the destructive capabilities of NotPetya and the recoverable encryption functionality of Petya. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). Some samples can exploit CVE-2024-7344, a vulnerability in the Howyar Reloader UEFI application, to bypass Secure Boot. HybridPetya is the fourth known example of malware that can bypass UEFI Secure Boot, highlighting the growing threat from UEFI bootkits that reside at the computer's startup sequence level. The discovery of HybridPetya highlights the ongoing evolution of ransomware and the need for enhanced security measures to protect against such advanced threats.
Timeline
-
15.09.2025 14:22 2 articles · 14d ago
HybridPetya Ransomware Capable of UEFI Secure Boot Bypass Discovered
HybridPetya combines the destructive capabilities of NotPetya and the recoverable encryption functionality of Petya. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). Some samples can exploit CVE-2024-7344, a vulnerability in the Howyar Reloader UEFI application, to bypass Secure Boot. HybridPetya is the fourth known example of malware that can bypass UEFI Secure Boot, highlighting the growing threat from UEFI bootkits that reside at the computer's startup sequence level.
Show sources
- ⚡ Weekly Recap: Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More — thehackernews.com — 15.09.2025 14:22
- 'HybridPetya' Ransomware Bypasses Secure Boot — www.darkreading.com — 15.09.2025 23:59
Information Snippets
-
HybridPetya is a new variant of the Petya/NotPetya ransomware.
First reported: 15.09.2025 14:222 sources, 2 articlesShow sources
- ⚡ Weekly Recap: Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More — thehackernews.com — 15.09.2025 14:22
- 'HybridPetya' Ransomware Bypasses Secure Boot — www.darkreading.com — 15.09.2025 23:59
-
The malware can bypass UEFI Secure Boot, allowing it to install malicious applications at the firmware level.
First reported: 15.09.2025 14:222 sources, 2 articlesShow sources
- ⚡ Weekly Recap: Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More — thehackernews.com — 15.09.2025 14:22
- 'HybridPetya' Ransomware Bypasses Secure Boot — www.darkreading.com — 15.09.2025 23:59
-
HybridPetya samples were uploaded to VirusTotal in February 2025.
First reported: 15.09.2025 14:222 sources, 2 articlesShow sources
- ⚡ Weekly Recap: Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More — thehackernews.com — 15.09.2025 14:22
- 'HybridPetya' Ransomware Bypasses Secure Boot — www.darkreading.com — 15.09.2025 23:59
-
There is no evidence of HybridPetya being deployed in the wild.
First reported: 15.09.2025 14:222 sources, 2 articlesShow sources
- ⚡ Weekly Recap: Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More — thehackernews.com — 15.09.2025 14:22
- 'HybridPetya' Ransomware Bypasses Secure Boot — www.darkreading.com — 15.09.2025 23:59
-
Bootkit malware is highly prized by attackers because it provides persistent access to compromised systems.
First reported: 15.09.2025 14:222 sources, 2 articlesShow sources
- ⚡ Weekly Recap: Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More — thehackernews.com — 15.09.2025 14:22
- 'HybridPetya' Ransomware Bypasses Secure Boot — www.darkreading.com — 15.09.2025 23:59
-
HybridPetya combines the destructive capabilities of NotPetya and the recoverable encryption functionality of Petya.
First reported: 15.09.2025 23:591 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot — www.darkreading.com — 15.09.2025 23:59
-
HybridPetya can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT).
First reported: 15.09.2025 23:591 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot — www.darkreading.com — 15.09.2025 23:59
-
HybridPetya can exploit CVE-2024-7344, a vulnerability in the Howyar Reloader UEFI application, to bypass Secure Boot.
First reported: 15.09.2025 23:591 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot — www.darkreading.com — 15.09.2025 23:59
-
HybridPetya is the fourth known example of malware that can bypass UEFI Secure Boot.
First reported: 15.09.2025 23:591 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot — www.darkreading.com — 15.09.2025 23:59
-
HybridPetya can reconstruct the victim's decryption key and recover their data, unlike NotPetya.
First reported: 15.09.2025 23:591 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot — www.darkreading.com — 15.09.2025 23:59
-
HybridPetya's ability to install harmful code directly into a computer's UEFI firmware makes it hard to detect and persist on a system even after OS reinstallation or hard drive wipe.
First reported: 15.09.2025 23:591 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot — www.darkreading.com — 15.09.2025 23:59
-
The emergence of HybridPetya highlights the growing threat from UEFI bootkits that reside at the computer's startup sequence level.
First reported: 15.09.2025 23:591 source, 1 articleShow sources
- 'HybridPetya' Ransomware Bypasses Secure Boot — www.darkreading.com — 15.09.2025 23:59
Similar Happenings
SonicWall MySonicWall Breach Exposes Firewall Configuration Files
SonicWall has released a firmware update to remove rootkit malware from SMA 100 series devices, following a breach that exposed firewall configuration backup files. The breach, caused by brute-force attacks, affected less than 5% of customers and may have exposed sensitive information. SonicWall has advised customers to reset credentials and update secrets. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. There is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. In September 2025, SonicWall disclosed a security breach affecting MySonicWall accounts, resulting in the exposure of firewall configuration backup files for less than 5% of its customers. The breach, caused by a series of brute-force attacks, could facilitate easier exploitation of SonicWall firewalls by threat actors. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with cybersecurity and law enforcement agencies. The exposed files may contain sensitive information, such as credentials and tokens, for services running on SonicWall devices. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. SonicWall confirmed that attackers accessed the API service for cloud backup and there is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance.
Chinese Malware Campaigns Exploit SEO and GitHub Pages to Distribute HiddenGh0st, Winos, and kkRAT
Chinese-speaking users are targeted by a malware campaign using SEO poisoning and fake software sites to distribute HiddenGh0st, Winos, and kkRAT. The campaign manipulates search rankings and uses trojanized installers to deliver the malware. The attacks exploit vulnerabilities in popular software and use various techniques to evade detection and maintain persistence. The malware is designed to establish command-and-control communication, monitor user activity, and steal sensitive information. The campaign was discovered in August 2025 and involves multiple malware families, including HiddenGh0st and Winos, which are variants of Gh0st RAT. The attacks use fake software sites and GitHub Pages to distribute the malware, exploiting the trust associated with legitimate platforms. The malware employs sophisticated techniques to evade detection and maintain persistence, including anti-analysis checks and TypeLib COM hijacking.
HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344
HybridPetya ransomware, which can bypass UEFI Secure Boot via CVE-2024-7344, has been discovered. The ransomware resembles Petya/NotPetya and exploits a flaw in the Howyar Reloader UEFI application to deploy a malicious EFI application. It encrypts the Master File Table (MFT) on NTFS-formatted partitions and includes a bootkit and installer. The ransomware was first uploaded to VirusTotal in February 2025 and has received payments totaling $183.32. HybridPetya incorporates characteristics from both Petya and NotPetya, using a bootkit with three states: ready for encryption, already encrypted, and decrypted after ransom payment. It uses the Salsa20 encryption algorithm and creates a counter file to track encrypted disk clusters. The ransom note demands $1,000 in Bitcoin, and the decryption process involves recovering legitimate bootloaders. The ransomware exploits a flaw in Microsoft-signed applications to bypass Secure Boot and deploy bootkits. It replaces the original Windows bootloader and removes the default bootloader file. The ransomware triggers a BSOD and forces a system reboot to execute the malicious bootkit, displaying a fake CHKDSK message during encryption. Upon completion, it demands a Bitcoin payment and provides a 32-character key for decryption and system restoration. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday, protecting updated Windows systems from HybridPetya. Offline backups are recommended as a solid practice against ransomware.
Malware Persistence Techniques and Defense Strategies
Malware persistence techniques allow attackers to maintain access to compromised systems despite reboots or disruptions. These methods include altering configurations, injecting startup code, and hijacking legitimate processes. Defending against these techniques requires a multi-layered approach that includes detection, prevention, and incident response. Wazuh, an open-source security solution, offers several capabilities to defend against malware persistence techniques. These include File Integrity Monitoring (FIM), Security and Configuration Assessment (SCA), log data analysis, and vulnerability detection. The impact of malware persistence techniques includes extended dwell time, remediation evasion, data exfiltration, deployment of additional malware, and compromised regulatory compliance.