Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass
Essential information
- Published
- 15/09/2025 14:12
- Modified
- 15/09/2025 21:28
- Tags
- 2025-09-12 2025-09-15 CVE-2024-7344 bootkit bypass diskcoder.c expetr goldeneye hybridpetya mft encryption notpetya nyetya petrwrap petya ransomware secure boot secure boot bypass uefi
- Related entities
- 2 vulnerabilities (cve), 7 observables, 6 techniques (mitre), 3 malware
Description
A new ransomware called HybridPetya has been discovered, combining features of Petya and NotPetya with advanced UEFI-based system capabilities. It encrypts the Master File Table on NTFS partitions and can install a malicious EFI application to compromise UEFI systems. One variant exploits CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems. While not yet observed in the wild, HybridPetya demonstrates sophisticated techniques including UEFI bootkit functionality and Secure Boot bypass. It may be a proof-of-concept but highlights the growing trend of UEFI-based threats. The malware allows key reconstruction, potentially functioning as regular ransomware rather than being purely destructive like NotPetya.