HybridPetya ransomware uses UEFI bootkit to bypass Secure Boot via CVE-2024-7344

CyberSecureFox 🦊

ESET has analyzed a new ransomware strain dubbed HybridPetya that fuses Petya/NotPetya-style tactics with UEFI bootkit capabilities. The sample, discovered on VirusTotal, appears to be a proof-of-concept or early build rather than a fully operational campaign. Despite its early stage, HybridPetya demonstrates a working Secure Boot bypass on Windows via CVE-2024-7344, placing unpatched systems at elevated risk.

HybridPetya’s lineage: Petya/NotPetya tactics with modern boot-level stealth

The malware borrows recognizable elements from the 2016–2017 Petya/NotPetya outbreaks, including forced reboots, a deceptive “disk check” screen, and a blue screen trigger to ensure the payload runs at startup. Where HybridPetya diverges is its boot-level persistence and stealth, designed to execute before the operating system loads—significantly reducing the effectiveness of traditional security tools.

Secure Boot bypass via CVE-2024-7344: what defenders need to know

HybridPetya exploits CVE-2024-7344, a vulnerability tied to a Microsoft-signed UEFI application that can be abused to install bootkits even when Secure Boot is enabled. ESET reported the issue in early 2025; Microsoft addressed it in the January 2025 Patch Tuesday updates. Systems that have applied these updates—and have the appropriate revocation (DBX) policy in place—are protected from this vector. Devices lacking those revocations remain exposed, a pattern previously observed with Secure Boot bypasses such as BlackLotus.

Infection chain and bootkit behavior on Windows

EFI System Partition persistence and loader handling

On UEFI systems with GPT partitioning, HybridPetya drops multiple components into the EFI System Partition: configuration and validation files, a modified bootloader, a backup UEFI loader, an exploit container, and a state file to track encryption progress. Notably, the original Windows bootloader is preserved, a tactic often used by ransomware operators to enable recovery after payment.

MFT encryption masked as CHKDSK

After a forced reboot, the bootkit initiates encryption of the Master File Table (MFT) clusters using a Salsa20 key and nonce sourced from its configuration. While this occurs, victims see a counterfeit CHKDSK-like screen, lowering suspicion. Damaging the MFT disrupts access to the entire filesystem, complicating recovery and incident response.

Ransom demand, wallet activity, and signs of testing

Upon completion, HybridPetya displays a ransom note requesting $1,000 in Bitcoin along with a 32-character decryption key input. Analysts observed minimal wallet activity—approximately $183.32 between February and May 2025—which supports the assessment that this is currently a limited test or early-stage deployment rather than a widespread monetization campaign.

Current spread and who is at risk

No broad attacks have been confirmed to date. However, a working UEFI bootkit with a Secure Boot bypass lowers the barrier for rapid weaponization, particularly against unpatched Windows systems. Past UEFI-level threats like BlackLotus underscore that once a bypass is available, opportunistic actors quickly adopt it. ESET has published indicators of compromise (IoCs) on GitHub to help blue teams enhance detection.

Mitigation guidance: closing the window for HybridPetya and UEFI bootkits

Apply security updates: Prioritize Microsoft’s January 2025 (and newer) updates remediating CVE-2024-7344. Confirm that the Secure Boot DBX revocation list is deployed across all endpoints and servers.

Harden the boot chain: Keep Secure Boot enabled, update firmware from trusted OEM sources, and restrict the use of third-party recovery tools that rely on signed UEFI applications. Where available, enable Measured Boot with remote attestation.

Strengthen host defenses: Use EDR/AV that can scan the EFI System Partition and flag modifications to bootloaders. Monitor for unexplained BSODs, abnormal reboots, and write attempts to EFI partitions. Limit administrative rights and enforce device control policies.

Prepare for recovery: Maintain offline, immutable backups and test bare-metal restore procedures. Track and operationalize IoCs from trusted sources (e.g., ESET research) to expedite triage and containment.

Boot-level attacks remain among the most effective techniques for evading Windows defenses. Organizations that rapidly deploy patches, enforce Secure Boot with up-to-date revocations, and monitor the boot chain materially reduce risk. Review your firmware update processes, validate Secure Boot configurations, ingest the latest IoCs, and rehearse recovery now—before early-stage tools like HybridPetya evolve into full-scale campaigns.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.