340/68 Monday, September 15, 2025
Researchers have uncovered a new ransomware strain called “HybridPetya”, which merges features of the infamous Petya and NotPetya malware that caused devastating outbreaks in 2016–2017. The alarming aspect of HybridPetya lies in its ability to bypass the UEFI Secure Boot security mechanism, enabling it to implant malicious code into the EFI System Partition-a region traditionally difficult for ransomware to access. Researchers from ESET discovered samples of the malware on VirusTotal and noted it may represent a research project, a proof-of-concept, or an early-stage version of a cybercriminal tool.
HybridPetya checks whether the target system is running UEFI with a GPT partitioning scheme before deploying its malicious bootkit. This bootkit includes files related to encryption, key verification, and Windows bootloader replacement-such as reloader.efi and cloak.dat. Its operation mimics classic Petya: first, it triggers a fake Blue Screen of Death to trick users into restarting. Once rebooted, the bootkit executes and encrypts the Master File Table (MFT) using the Salsa20 algorithm, displaying a counterfeit CHKDSK screen before showing a ransom note demanding $1,000 in Bitcoin in exchange for the decryption key and restoration of the original system.
Although no real-world attacks using HybridPetya have yet been reported, researchers warn that cybercriminals may weaponize it in the future, particularly against Windows systems that remain unpatched against CVE-2024-7344, which Microsoft addressed in its January 2025 Patch Tuesday updates. Experts advise both individuals and organizations to apply the latest patches promptly and to maintain regular offline backups of critical data to mitigate the impact of increasingly advanced ransomware strains like HybridPetya.
