New HybridPetya ransomware can bypass UEFI Secure Boot

A recently discovered ransomware strain called HybridPetya can bypass the UEFI Secure Boot feature to install a malicious application on the EFI System Partition.

HybridPetya appears inspired by the destructive Petya/NotPetya malware that encrypted computers and prevented Windows from booting in attacks in 2016 and 2017 but did not provide a recovery option.

Researchers at cybersecurity company ESET found a sample of HybridPetya on VirusTotal. They note that this may be a research project, a proof-of-concept, or an early version of a cybercrime tool still under limited testing.

Still, ESET says that its presence is yet another example (along with BlackLotus, BootKitty, and Hyper-V Backdoor) that UEFI bootkits with Secure Bypass functionality are a real threat.

HybridPetya incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain of these older malware strains.

However, the developer added new things like installation into the EFI System Partition and the ability to bypass Secure Boot by exploiting the CVE-2024-7344 vulnerability.

ESET discovered the flaw in January this year, The issue consists in Microsoft-signed applications that could be exploited to deploy bootkits even with Secure Boot protection active on the target.

Upon launch, HybridPetya determines if the host uses UEFI with GPT partitioning and drops a malicious bootkit into the EFI System partition consisting of several files.

These include configuration and validation files, a modified bootloader, a fallback UEFI bootloader, an exploit payload container, and a status file that tracks the encryption progress.

ESET lists the following files used across analyzed variants of HybridPetya:

1. EFIMicrosoftBootconfig (encryption flag + key + nonce + victim ID)
2. EFIMicrosoftBootverify (used to validate correct decryption key)
3. EFIMicrosoftBootcounter (progress tracker for encrypted clusters)
4. EFIMicrosoftBootbootmgfw.efi.old (backup of original bootloader)
5. EFIMicrosoftBootcloak.dat (contains XORed bootkit in Secure Boot bypass variant)

Also, the malware replaces EFIMicrosoftBootbootmgfw.efi with the vulnerable ‘reloader.efi,’ and removes EFIBootbootx64.efi.

The original Windows bootloader is also saved to be activated in the case of successful restoration, meaning that the victim paid the ransom.

Once deployed, HybridPetya triggers a BSOD displaying a bogus error,…