HybridPetya: The UEFI-Busting Heir to Petya/NotPetya

In September 2025, security researchers spotlighted the rise of HybridPetya, a next-generation ransomware that revives and amplifies the catastrophic tactics of Petya and NotPetya—this time blending firmware exploitation with relentless file system sabotage.

What Is HybridPetya?

HybridPetya is a sophisticated ransomware variant that encrypts the NTFS Master File Table (MFT), thereby denying access to all file content on infected machines. This core methodology mirrors that of its Petya/NotPetya namesakes, but HybridPetya stands apart with a significant twist: it targets modern UEFI-enabled systems by dropping a malicious EFI application directly onto the EFI System partitions.

Technical Features

• UEFI Secure Boot Bypass: By exploiting CVE-2024-7344, HybridPetya can bypass Secure Boot protections using a custom cloak.dat exploit file, giving it persistence and low-level access.
• Bootkit Installation: The threat actor replaces legitimate boot files, forcing a reboot that leads directly to ransomware execution before the operating system loads.
• Encryption: Salsa20, a lightweight stream cipher, is used to encrypt the MFT. This ensures fast encryption with high security and minimal performance footprint.
• Ransom Demand: Victims are issued a $1,000 Bitcoin ransom note, complete with a form for entering a decryption key post-payment.
• Infection Chain: Drops modified bootloader and config files to the EFI partition, tracks encryption progress, and manipulates system files to ensure persistence and re-encryption upon failed recovery attempts.

Attack Flow

1. Checks for UEFI with GPT partitioning.
2. Drops malicious files to the EFI System Partition:

• Modified bootloader
• Salsa20 config and nonce files
• Encryption status tracker
• UEFI Secure Boot bypass exploit

1. Overwrites system boot files, forcing a restart.
2. At next boot, the ransomware hijacks the startup, displays a fake CHKDSK screen, then encrypts the MFT.
3. Upon completion, the system boots to a ransom note.

Threat Assessment and Wild Activity

Unlike NotPetya, which propagated in a worm-like manner, HybridPetya has not yet been seen spreading aggressively in the wild. Current discoveries of the malware are based primarily on uploaded samples rather than observed, widespread attacks. Still, its advanced functionality signals strong potential for catastrophic campaigns targeting unpatched systems with UEFI firmware.

Mitigation and Recommendations

• Patch CVE-2024-7344: Microsoft addressed the core UEFI vulnerability in January 2025—prompt patching is critical.
• Secure Backups: Maintain offline, immutable backups and validate recovery plans regularly.
• Harden UEFI Configurations: Use robust firmware password controls and limit user write access to EFI partitions.
• Monitor for IOCs: Utilize published hashes and file patterns from recent research to enhance detection coverage.

Conclusion

HybridPetya is an ominous evolution in the ransomware threat landscape, bridging the gap between file-level and firmware-level attacks. Enterprises and security teams must prioritize firmware security, apply recent patches, and maintain vigilance against novel exploitation techniques. As ransomware develops a foothold below the operating system level, traditional defenses alone are no longer enough to protect mission-critical infrastructure.