Researchers Warn of Growing Threat from UEFI Bootkits Exploiting Critical Vulnerability

A newly discovered ransomware strain named HybridPetya has been found to bypass the UEFI Secure Boot feature, allowing it to install malicious applications on the EFI System Partition. This ransomware appears to be inspired by the infamous Petya and NotPetya malware from 2016 and 2017, which caused widespread disruption by encrypting systems and preventing Windows from booting. However, unlike its predecessors, HybridPetya includes new features such as the ability to install itself into the EFI System Partition and exploit the recently discovered CVE-2024-7344 vulnerability to bypass Secure Boot protections.

Researchers at ESET identified a sample of HybridPetya on VirusTotal and suggest it may be a research project, a proof-of-concept, or an early stage of a potential cybercrime tool. The malware replaces critical boot files, such as \EFI\Microsoft\Boot\bootmgfw.efi, with malicious versions like the vulnerable reloader.efi, and removes \EFI\Boot\bootx64.efi. The original Windows bootloader is also saved to be reactivated if the victim pays the ransom.

Once deployed, HybridPetya triggers a blue screen of death (BSOD) displaying a bogus error message, similar to Petya, and forces a system reboot, allowing the malicious bootkit to execute upon startup. At this point, the ransomware encrypts all Master File Table (MFT) clusters using a Salsa20 key and nonce extracted from the configuration file, while displaying a fake CHKDSK message, a tactic reminiscent of NotPetya. Once encryption is complete, another reboot is triggered, and the victim is presented with a ransom note during system boot, demanding a Bitcoin payment of $1,000.

In exchange, the victim is provided with a 32-character key that can be entered on the ransom note screen to restore the original bootloader, decrypt the data, and prompt a system reboot. Though no real-world attacks have been reported yet, the presence of HybridPetya highlights the growing threat of UEFI bootkits with Secure Boot bypass capabilities.

Microsoft has addressed the underlying vulnerability in the January 2025 Patch Tuesday update, and users are advised to ensure their systems are up to date. Additionally, maintaining offline backups of important data remains a crucial defense strategy against ransomware attacks.

Indicators of compromise (IOCs) and further analysis are available on a public GitHub repository, allowing security professionals to better detect and defend against this emerging threat. The malware has been found to use several files in its attack chain, including configuration and validation files, a modified bootloader, a fallback UEFI bootloader, an exploit payload container, and a status file that tracks the encryption progress.

As ransomware continues to evolve, the cybersecurity community is urged to remain vigilant and adopt proactive measures to protect critical systems and data. HybridPetya is just one of several UEFI-based threats, including BlackLotus, BootKitty, and Hyper-V Backdoor, that have demonstrated the potential for serious damage if left unpatched or unmonitored.

Security experts also note that while HybridPetya is not yet in the wild, similar projects may choose to weaponize the proof-of-concept and use it in broader campaigns targeting unpatched Windows systems. Organizations are encouraged to monitor for these threats and implement layered defenses, including UEFI firmware integrity checks, regular patching, and multi-factor authentication for system access.