HybridPetya ransomware bypasses UEFI Secure Boot to infect EFI partitions, echoing the infamous Petya/NotPetya attacks of 2016–2017.
ESET researchers discovered a new ransomware called HybridPetya on the platform VirusTotal. The malware echoes the infamous Petya/NotPetya malware, supporting additional capabilities, such as compromising UEFI-based systems and exploiting CVE‑2024‑7344 to bypass UEFI Secure Boot on outdated systems.
“Interestingly, the code responsible for generating the victims’ personal installation keys seems to be inspired by the RedPetyaOpenSSL PoC.” reads the report published by ESET. “We are aware of at least one other UEFI-compatible PoC rewrite of NotPetya, dubbed NotPetyaAgain, which is written in Rust; however, that code is unrelated to HybridPetya.”
Unlike NotPetya, HybridPetya acts as true ransomware like Petya, allowing decryption. Researchers suspect the sample could be linked to a UEFI Petya PoC that was first discussed on September 9, 2025, suggesting HybridPetya may be a research project.
I've got some really cool gift recently… UEFI Petya PoC: https://t.co/NH0XgugFHB
— hasherezade (@hasherezade) September 9, 2025
ESET researchers published a technical analysis of HybridPetya’s components, the bootkit and the installer.
The UEFI bootkit has two similar versions. On execution, it checks the encryption flag in the config file: 0 (ready), 1 (encrypted), or 2 (decrypted).
If set to 0, it extracts a Salsa20 key and nonce, zeros the config file key, sets the flag to 1, encrypts the ‘verify’ file, and creates a counter file. The bootkit searches for NTFS partitions and encrypts the Master File Table. Then the malicious code updates the counter file with the number of encrypted clusters, and displays a fake CHKDSK status. After encryption, the malware reboots. If the disk is already encrypted (flag 1), it shows a ransom note and accepts a 32-character key.
The malware verifies the key by decrypting the verify file, and, if correct, sets the flag to 2 (decrypted), recovers bootloaders, and prompts reboot.
The HybridPetya installers locate the EFI System Partition on GPT disks, remove the fallback loader (\EFI\Boot\Bootx64.efi), and drop an encryption config (\EFI\Microsoft\Boot\config) containing the Salsa20 key, nonce and victim key, plus a 0x200-byte verification blob (\EFI\Microsoft\Boot\verify) that the bootkit later decrypts to validate entered keys. The installer backs up bootmgfw.efi to bootmgfw.efi.old, then forces a BSOD (NtRaiseHardError) so the system reboots into the replaced bootflow and executes the bootkit.
HybridPetya is the fourth known UEFI bootkit with Secure Boot bypass, after BlackLotus, BootKitty, and the Hyper-V Backdoor PoC (exploiting CVE‑2020‑26200), showing such attacks are growing more common.
“Although HybridPetya is not actively spreading, its technical capabilities – especially MFT encryption, UEFI system compatibility, and Secure Boot bypass – make it noteworthy for future threat monitoring.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, UEFI)
