In late July 2025, cybersecurity researchers identified a new ransomware variant named HybridPetya, which leverages a critical UEFI vulnerability to bypass Secure Boot protections on outdated systems. This sophisticated malware combines elements of previous Petya and NotPetya attacks with advanced techniques targeting the Unified Extensible Firmware Interface (UEFI), posing a significant threat to system integrity and data security.
Background on UEFI and Secure Boot
UEFI is a modern firmware interface that initializes hardware components and launches the operating system during the boot process. Secure Boot is a security feature within UEFI designed to ensure that only trusted software is executed during startup, preventing unauthorized code from running. By verifying the digital signatures of bootloaders and operating system kernels, Secure Boot helps maintain the integrity of the boot process.
Discovery of HybridPetya
The emergence of HybridPetya was first noted when multiple ransomware samples appeared on VirusTotal, bearing filenames reminiscent of the notorious Petya and NotPetya attacks. Unlike its predecessors, HybridPetya exhibits capabilities that extend beyond conventional userland execution, directly targeting UEFI firmware on vulnerable systems. By exploiting the CVE-2024-7344 vulnerability, HybridPetya achieves a Secure Boot bypass on outdated platforms, allowing it to install a malicious EFI application into the EFI System Partition.
Technical Analysis of HybridPetya
HybridPetya employs a dual-component architecture consisting of a Windows-based installer and an EFI bootkit. Upon execution, the installer performs the following actions:
1. EFI System Partition Manipulation: The installer locates the EFI System Partition and backs up legitimate bootloaders.
2. Configuration Deployment: It drops a Salsa20-encrypted configuration file (`\EFI\Microsoft\Boot\config`) and an encrypted verification array (`\EFI\Microsoft\Boot\verify`).
3. System Crash Induction: The installer triggers a Blue Screen of Death (BSOD) to force a system reboot, ensuring the compromised bootloader executes upon restart.
This method ensures that the malicious EFI component is activated during the next startup sequence.
Exploitation of CVE-2024-7344
HybridPetya’s innovation lies in its ability to bypass UEFI Secure Boot by exploiting the CVE-2024-7344 vulnerability. This flaw resides in a UEFI application signed with Microsoft’s Microsoft Corporation UEFI CA 2011 third-party certificate. The vulnerability stems from the use of a custom PE loader instead of the standard and secure UEFI functions `LoadImage` and `StartImage`. This oversight permits the loading of unsigned binaries from a specially crafted file named `cloak.dat` during system startup, bypassing Secure Boot integrity checks entirely. In systems lacking Microsoft’s January 2025 `dbx` update, the malicious `reloader.efi` application masquerades as a trusted Microsoft-signed binary. When executed, it treats the accompanying `cloak.dat` file as a legitimate payload, loading and executing the XOR-obfuscated EFI bootkit without signature verification.
Encryption Process and Ransom Note
Once the EFI bootkit gains control during the pre-operating system phase, it reads its configuration and encryption flag. If the flag is set to ready for encryption, the bootkit extracts the Salsa20 key and nonce, rewrites the configuration flag, and encrypts the NTFS Master File Table (MFT) on all detected partitions. During this process, a deceptive CHKDSK-like progress message is displayed to the victim, masking the malicious activity. After encryption completes, the system reboots, presenting a NotPetya-style ransom note demanding payment for data recovery.
Infection Mechanism and Persistence
HybridPetya’s infection mechanism relies on the interplay between its Windows installer and UEFI bootkit. The installer induces a system crash using the native API `NtRaiseHardError`, ensuring the malicious bootloader will execute on restart:
“`
NtRaiseHardError(STATUS_HOST_DOWN, 0, 0, NULL, OptionShutdownSystem, &Response);
“`
This crash guarantees that the UEFI component runs under Secure Boot enforcement—or, in the case of outdated systems, bypassed Secure Boot. Upon reboot, the EFI application locates `\EFI\Microsoft\Boot\config`, examines the encryption flag, and branches into encryption or decryption logic. For decryption, the victim must input a 32-character key; the EFI bootkit then decrypts the `verify` file and, if the plaintext matches a series of 0x07 bytes, proceeds to restore the MFT and legitimate bootloaders from their `.old` backups. By embedding this persistence mechanism within the UEFI firmware, HybridPetya ensures that its malicious code remains active even after system reboots, complicating detection and removal efforts.
Mitigation and Recommendations
To protect systems from HybridPetya and similar threats, it is crucial to implement the following measures:
1. Firmware Updates: Ensure that all systems are updated with the latest firmware patches, including Microsoft’s January 2025 `dbx` update, which addresses the CVE-2024-7344 vulnerability.
2. Secure Boot Configuration: Verify that Secure Boot is properly configured and that only trusted keys are used in the Secure Boot databases.
3. Regular Backups: Maintain regular backups of critical data to facilitate recovery in the event of a ransomware attack.
4. User Education: Educate users about the risks of phishing emails and the importance of not executing unknown or suspicious files.
5. Endpoint Protection: Deploy robust endpoint protection solutions capable of detecting and mitigating advanced threats targeting the boot process.
By adhering to these best practices, organizations can enhance their resilience against sophisticated malware like HybridPetya and safeguard their systems from potential compromise.
