Hybridpetya Ransomware Breaks Secure Boot Barrier On UEFI Systems - Arabian Post

(MENAFN- The Arabian Post) decoding="async" alt="" border="0" width="320" data-original-height="667" data-original-width="1000" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7UmnTCuSZ7XsUdBnsEm6JTy51hJbSV-y0D-tM21gC49M9C9xEEsw8VGB7MioLURpkAZSMx1rkXBwQb3kzc4oBVSlcMFgPGKvc0e70kRQ4NseQMH_qGajbtPetItsUYz8SH0WHRfBqS78G_5wrmyvW15vUwb224xb4b_OfE-mSrMqbW0rwju3GavWOtw_C/s728-rw-e365/ransomware.jpg" onerror="this.onerror=null;this.src='https://thearabianpost.com/assets/aparab-news-post.jpg?v3';" />

Security researchers at ESET have identified a new malware strain called HybridPetya that combines traits of Petya and NotPetya ransomware with advanced boot-kit functionality to infect systems protected by UEFI Secure Boot. It exploits the vulnerability CVE-2024-7344 in the Howyar“Reloader” UEFI application to bypass signature checks, allowing unverified code execution.

HybridPetya was first spotted when samples uploaded to VirusTotal in February 2025 caught the eye of ESET's threat analysts. The malware installs a malicious EFI application into the EFI System Partition, which then encrypts the Master File Table on NTFS-formatted drives. The MFT contains metadata about all files, making its encryption especially disruptive.

One variant of HybridPetya takes advantage of CVE-2024-7344 to dodge the Secure Boot mechanism. The exploit leverages a file named cloak. dat, which carries an XOR-encoded bootkit. When the vulnerable reloader. efi is executed at boot, it checks for cloak. dat on the EFI System Partition and loads its content without validating integrity, thus undermining UEFI Secure Boot protections. Systems with Microsoft's January 2025 dbx update are said to be protected against this exploit.

HybridPetya also includes features for standard installer-based deployment. It determines whether the system uses UEFI with GUID Partition Table layout, locates the EFI System Partition, replaces or backs up legitimate bootloaders, and drops configuration, key material, and progress-tracking files into the EFI partition. A blue screen of death is triggered to force a reboot and activate the bootkit. Decryption is possible: victims supply a 32-character key, which if correct restores bootloaders and decrypts encrypted clusters.

ESET reports no evidence that HybridPetya has been used in large-scale attacks so far; there is concern that it might be a proof-of-concept or under limited testing. Analysts warn that its technical capabilities-especially Secure Boot bypass, bootkit deployment, and MFT encryption-represent a formidable escalation in ransomware threat design.

See also UAE and Samsung partner for new innovation campus

CVE-2024-7344 was disclosed in January 2025. It relates to the Howyar UEFI Application“Reloader” which permits execution of unsigned software from a hardcoded path. The vulnerability has high severity, given its impact on integrity and confidentiality.

Organisations running Windows systems with UEFI Secure Boot are urged to verify that the January 2025“dbx” revocation list update has been applied. Systems lacking this update remain vulnerable. Security teams are also advised to monitor for indicators such as unexpected files in EFI partitions, anomalous versions of bootloader backups, or unexpected“counter” files tracking encryption status.

Notice an issue? Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com . We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.

MENAFN13092025000152002308ID1110057107