Renewz

HybridPetya: A New BIOS and UEFI Bootkit with Secure Boot Bypass Capabilities

HybridPetya: A New BIOS and UEFI Bootkit with Secure Boot Bypass Capabilities
source: gettyimages
September 17, 2025

A recently discovered ransomware strain named HybridPetya demonstrates a significant advancement in malware capabilities by exploiting patched vulnerabilities to bypass UEFI Secure Boot on unrevoked Windows systems. This marks it as the fourth publicly known bootkit capable of circumventing Secure Boot and hijacking PCs before the operating system loads.

Discovery and Background

ESET researchers identified HybridPetya after samples surfaced on VirusTotal in February. They named it due to its resemblance to the notorious Petya and NotPetya malware, which inflicted massive damage globally. Notably, HybridPetya appears to be a proof-of-concept (PoC) at current, with no evidence of active deployment in the wild. Unlike NotPetya, it does not propagate aggressively over networks.

Significance of Secure Boot Bypass

This discovery underscores an important reality: Secure Boot bypasses, once dismissed as a myth, do exist and are evolving. Both white-hat hackers and malicious actors are developing new variants that exploit these vulnerabilities. The compromise of Secure Boot poses a serious security concern because it allows malware to load before the OS, making detection and removal much more challenging.

Historical Context

Back in 2017, NotPetya malware caused over $10 billion in damages worldwide. It utilized bootkits to overwrite the Master Boot Record (MBR), effectively locking users out of their data and preventing Windows from booting. Petya and NotPetya shared this disk-locking behavior and exploited vulnerabilities to infect systems at a fundamental level.

HybridPetya’s Technical Capabilities

HybridPetya leverages CVE-2024-7344 — a UEFI vulnerability disclosed earlier this year and since revoked on updated machines — to install malicious EFI applications directly onto the EFI System Partition. These EFI applications encrypt critical filesystem metadata, specifically the NTFS Master File Table (MFT), thereby locking the file system.

Unlike NotPetya, which aimed for data destruction, HybridPetya functions as ransomware, allowing operators to generate a decryptable key. The decryption process is reproducible from a personal installation key, enabling victims to recover their data if they pay the ransom.

How the Bootkit Operates

Upon execution, HybridPetya’s bootkit loads its configuration from the UEFI’s `\EFI\Microsoft\Boot\config` file. It checks an encryption status, which can be:

If the disk is ready (0), the bootkit rewrites the configuration to mark it as encrypted, encrypts a verification file with Salsa20, and creates a counter file to track encrypted disk clusters. It also displays a fake Windows CHKDSK message, mimicking genuine disk checks.

If already encrypted (1), it proceeds with ransom instructions, prompting victims to pay Bitcoin to retrieve decryption keys. After verifying the entered key, the malware decrypts the disk and restores legitimate bootloaders from a backup.

Future Threat Landscape

While HybridPetya is not currently spreading actively, its technical features—particularly MFT encryption, UEFI compatibility, and Secure Boot bypass—highlight the potential for future threats. Experts warn that these capabilities could be exploited to target a large number of devices, especially with the upcoming development of Linux-based UEFI bootkits.

Related Developments

HybridPetya follows other notable UEFI bypass malware:

Conclusion

Although HybridPetya is still in the proof-of-concept stage, its sophisticated use of UEFI vulnerabilities and Secure Boot bypass techniques signify a concerning trend in firmware-level malware. As security researchers continue to monitor these developments, proactive measures and updates from hardware and software providers are vital to mitigate future risks.

---

Note: This article is based on the latest findings and disclosures as of October 2023.

Related links

By submitting, I confirm I have the right to share this link and I agree to link back to this article from the submitted page. Duplicate URLs are rejected. Up to 5 links per page.

GraphQL · 145 ms 
query Q($id: Int!, $domain: Int!, $srcId: Int!, $hasSrc: Boolean!, $hasSelf: Boolean!) {
  self: qa_ai(where: {id: {_eq: $id}}, limit: 1) @include(if: $hasSelf) {
    id
    title
    text
    date
  }
  linksarticle: qa_ai(where: {domain: {_eq: $domain}, id: {_neq: $id}}, order_by: {id: desc}, limit: 8) {
    id
    title
  }
  linksbottom: qa_ai(where: {domain: {_neq: $domain}, id: {_lt: $id}}, order_by: {id: desc}, limit: 3) {
    id
    title
    domain
  }
  source: qa_ai(where: {id: {_eq: $srcId}}, limit: 1) @include(if: $hasSrc) {
    id
    title
  }
}
{
  "id": 6643820,
  "domain": 6,
  "srcId": 0,
  "hasSrc": false,
  "hasSelf": true
}