ESET Researchers Uncover New HybridPetya Ransomware Threat
Cybersecurity experts at the Slovakian company ESET have discovered a dangerous new ransomware strain named “HybridPetya.” This malware is notable for its ability to bypass UEFI Secure Boot, a key security measure in Windows designed to protect against malicious software during system startup. This discovery raises concerns that attackers are now focusing on compromising systems at the deepest level: the boot process itself.
The malware draws its inspiration from the notorious Petya and NotPetya attacks of 2016 and 2017, which caused billions in global damages by disrupting banks, shipping companies, and government services. Unlike its predecessors, HybridPetya has been updated to compromise modern systems by targeting the EFI System Partition during the earliest phase of a computer’s boot-up sequence.
How the Attack Works
HybridPetya functions as a combination of ransomware and a bootkit. Once it infects a system, the malware replaces crucial Windows boot files with its own malicious loader, forcing the computer to restart. During the reboot, the malware secretly encrypts the Master File Table (MFT) on NTFS partitions, which is the database that tracks all files on the system. Instead of the usual startup, a fraudulent disk-checking screen (similar to a tactic used by the original Petya) is displayed.
After the encryption is complete, a ransom message appears on the screen, demanding a $1,000 Bitcoin payment for a decryption key. Unlike the destructive NotPetya, which was primarily designed to cause damage, HybridPetya appears to allow for data recovery if the ransom is paid.
Exploiting a Known Secure Boot Vulnerability
HybridPetya’s ability to circumvent Secure Boot is achieved by exploiting a known vulnerability, CVE-2024-7344, within a Microsoft-signed UEFI application on outdated systems. Although Microsoft released a patch for this flaw in January 2025, systems that have not been updated remain vulnerable.
According to ESET researcher Martin Smolar, who discovered the malware, the initial samples were found in July 2025, with filenames like “notpetyanew.exe,” suggesting a link to the 2017 NotPetya attack.
Smolar noted that HybridPetya is now at least the fourth public example of a real-world or proof-of-concept UEFI bootkit with Secure Boot bypass capabilities. This trend, he warns, shows that such bypasses are becoming increasingly common and appealing to both researchers and malicious actors.
Current Status and Recommendations
As of now, ESET has not found any evidence of HybridPetya being used in active attacks. The only known samples were uploaded to VirusTotal from Poland, suggesting it may be a proof-of-concept or in an early testing phase. Unlike NotPetya, it does not automatically spread across networks.
However, its existence is a major warning sign that ransomware is evolving to use more advanced techniques to undermine even core system protections.
To protect yourself, experts emphasize the importance of staying up-to-date. Users who have installed Microsoft’s January 2025 updates are protected from this particular Secure Boot bypass.
Security teams are also advised to:
- Keep Windows fully updated to ensure Secure Boot protections are effective.
- Maintain offline backups of critical data to allow for recovery without paying a ransom.
- Monitor for Indicators of Compromise (IoCs) published by ESET.
- Regularly verify that Secure Boot is enabled and working correctly.
HybridPetya may not be an immediate threat, but its sophisticated nature highlights that the boot process itself is now a key battleground in the fight against ransomware
