A newly identified ransomware strain called HybridPetya has appeared on the VirusTotal platform.
Uploaded in February 2025, the sample showed under filenames suggesting a link to the destructive NotPetya outbreak.
The malware shares substantial similarities to Petya and NotPetya but adds new capabilities that make it stand out, including the ability to compromise UEFI-based systems.
HybridPetya targets NTFS partitions by encrypting the Master File Table (MFT) – a core component that maps the locations of stored files.
Unlike NotPetya, which inflicted more than $10bn in global damages in 2017 by making recovery impossible, HybridPetya allows victims to restore access if the correct decryption key is supplied. This makes it behave more like conventional ransomware.
Analysis shows that the malware installs a malicious EFI application onto the EFI System Partition, ensuring persistence at a level deeper than the operating system.
In one version, HybridPetya also exploits CVE-2024-7344. This flaw enables attackers to bypass UEFI Secure Boot on unpatched systems by loading a specifically crafted cloak.dat file through a signed but vulnerable Microsoft application.
Some defining traits of HybridPetya include:
-
Encryption of the NTFS Master File Table with the Salsa20 algorithm
-
Installation of a UEFI bootkit that runs before Windows loads
-
Exploitation of CVE-2024-7344 to disable Secure Boot protections
-
Support for data recovery when the decryption key is entered
Read more on UEFI Secure Boot bypasses: New Bootkit “Bootkitty” Targets Linux Systems via UEFI
ESET Research, which analyzed the samples, has found no evidence that HybridPetya is actively spreading.
Unlike NotPetya, it does not contain self-propagating code designed to jump across networks. Still, its technical features are significant. By combining ransomware functions with firmware-level persistence and a Secure Boot bypass, HybridPetya demonstrates how attackers are experimenting with deeper, more resilient forms of compromise.
The discovery places HybridPetya alongside other advanced UEFI bootkits such as BlackLotus. Whether it proves to be an active weapon or merely a proof of concept, it underscores a trend: weaknesses in system startup protections are increasingly targeted and ransomware is adapting to exploit them.
