ESET Research discovers UEFI-compatible HybridPetya ransomware capable of Secure Boot bypass
Created: 2025-09-16 07:48:40
- ESET Research has discovered new ransomware samples, which it has named HybridPetya, resembling the infamous Petya/NotPetya malware. They were uploaded to VirusTotal in February 2025.
- HybridPetya encrypts the Master File Table, which contains important metadata about all the files on NTFS-formatted partitions.
- Unlike the original Petya/NotPetya, HybridPetya can compromise modern UEFI-based systems by installing a malicious EFI application onto the EFI System Partition.
- One of the analyzed HybridPetya variants exploits CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems, leveraging a specially crafted cloak.dat file.
- ESET telemetry shows no signs of HybridPetya being used in the wild yet.
BRATISLAVA — September 12, 2025 — ESET Research has discovered a HybridPetya bootkit and ransomware uploaded from Poland to the malware-scanning platform VirusTotal. The sample is a copycat of the infamous Petya/NotPetya malware; however, it adds the capability of compromising UEFI-based systems and weaponizing CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems.
“Late in July 2025, we encountered suspicious ransomware samples under various filenames, including notpetyanew.exe and other similar ones, suggesting a connection with the infamously destructive malware that struck Ukraine and many other countries back in 2017. The NotPetya attack is believed to be the most destructive cyberattack in history, with more than $10 billion in total damages. Due to the shared characteristics of the newly discovered samples with both Petya and NotPetya, we named this new malware HybridPetya,” says ESET researcher Martin Smolár, who made the discovery.
The algorithm used to generate the victim’s personal installation key, unlike in the original NotPetya, allows the malware operator to reconstruct the decryption key from the victim’s personal installation keys. Thus, HybridPetya remains viable as regular ransomware – more like Petya. Additionally, HybridPetya is also capable of compromising modern UEFI-based systems by installing a malicious EFI application to the EFI System Partition. The deployed UEFI application is then responsible for encryption of the NTFS-related Master File Table (MFT) file – an important metadata file containing information about all the files on the NTFS-formatted partition.
“After a bit more digging, we discovered something even more interesting on VirusTotal: an archive containing the whole EFI System Partition contents, including a very similar HybridPetya UEFI application, but this time bundled in a specially formatted cloak.dat file, vulnerable to CVE-2024-7344 – the UEFI Secure Boot bypass vulnerability that our team disclosed in early 2025,” adds Smolár. ESET publications from January 2025 purposely refrained from detailing the exploitation; thus, the malware author probably reconstructed the correct cloak.dat file format based on reverse engineering the vulnerable application on their own.
ESET telemetry shows no active use of HybridPetya in the wild yet; thus, HybridPetya may just be a proof of concept developed by a security researcher or an unknown threat actor. Furthermore, this malware does not exhibit the aggressive network propagation seen in the original NotPetya.
For a more detailed analysis and technical breakdown of HybridPetya, check out the latest ESET Research blogpost: "Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass," on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.
Overview of HybridPetya’s execution logic
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.
Join ESET at Facebook