Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass
a day ago
- #UEFI Bootkit
- #HybridPetya
- #Ransomware
- ESET Research discovered HybridPetya, a copycat of Petya/NotPetya malware, capable of compromising UEFI-based systems and bypassing UEFI Secure Boot via CVE‑2024‑7344.
- HybridPetya encrypts the Master File Table (MFT) on NTFS partitions and can install a malicious EFI application to the EFI System Partition.
- Unlike NotPetya, HybridPetya allows decryption key recovery, functioning more like traditional ransomware rather than purely destructive malware.
- A variant of HybridPetya exploits CVE‑2024‑7344 to bypass UEFI Secure Boot on outdated systems using a specially crafted cloak.dat file.
- ESET telemetry shows no active use of HybridPetya in the wild, and it lacks the aggressive network propagation seen in NotPetya.
- The malware displays fake CHKDSK messages during encryption and requires victims to enter a decryption key to restore their systems.
- HybridPetya supports both legacy and UEFI systems, with the UEFI bootkit component responsible for MFT encryption and decryption.
- The malware's installer hijacks the boot process, replaces legitimate bootloaders, and triggers a system crash to ensure execution upon reboot.
- HybridPetya joins other UEFI bootkits like BlackLotus and BootKitty, highlighting the growing trend of Secure Boot bypass exploits.
- Protection against HybridPetya involves applying Microsoft’s January 2025 dbx update to mitigate CVE‑2024‑7344 exploitation.