Close Menu
Cybercrime and Ransomware

HybridPetya Ransomware Bypasses UEFI Secure Boot with CVE-2024-7344 Exploit

Staff WriterBy No Comments4 Mins Read4 Views

Fast Facts

  1. HybridPetya, a new ransomware strain, combines Petya/NotPetya features with the ability to bypass UEFI Secure Boot vulnerabilities, enabling it to infect modern systems using a patched flaw.
  2. It encrypts files by targeting the Master File Table (MFT) on NTFS partitions, with its UEFI component installing a malicious EFI application onto the EFI System Partition to facilitate encryption.
  3. The malware employs a bootkit with multiple states, controlling encryption, decryption, and ransom payment, tricking victims with fake disk repair messages during encryption.
  4. Certain variants exploit a UEFI firmware vulnerability (CVE-2024-7344) to bypass Secure Boot, with threat actors potentially able to use this to reconstruct decryption keys, though currently no evidence of active deployment in the wild.

Key Challenge

Cybersecurity researchers from Slovakia have uncovered a sophisticated new strain of ransomware called HybridPetya, which mirrors the notorious Petya/NotPetya malware but adds a dangerous new capability: it can bypass the Secure Boot security feature on modern UEFI-based systems. Detected in February 2025 and uploaded to VirusTotal by an unknown actor, HybridPetya specifically targets the Master File Table (MFT) on NTFS partitions, encrypting vital file metadata and rendering systems inoperable. The malware operates through a dual-component setup—a bootkit and an installer—that can manipulate UEFI firmware by installing malicious EFI applications, exploiting a recently patched vulnerability (CVE‑2024‑7344) that previously allowed attackers to bypass Secure Boot protections.

The attack chain involves the malicious EFI app, which loads during startup, checks its encryption status, and proceeds to encrypt system files if unencrypted, then displays a ransom note demanding Bitcoin payments—currently totaling around $183.32. Once victims pay, the malware offers a decryption process, which involves the attacker reconstructing decryption keys by exploiting victim-specific credentials, unlike the fully destructive NotPetya. Interestingly, the malware’s development underscores growing trends in UEFI exploitation, as it demonstrably bypasses security measures thought to be robust, raising alarms within cybersecurity circles. The report, issued by ESET, emphasizes that while HybridPetya has not yet been observed in the wild, its existence marks an alarming escalation in the use of UEFI bootkits, highlighting a broader trend of increasing complexity and prevalence of firmware-level cyber threats.

Risk Summary

Cyber risks posed by the newly identified HybridPetya ransomware significantly threaten modern UEFI-based systems by exploiting vulnerabilities to bypass Secure Boot protections, enabling the malware to install malicious EFI applications and encrypt critical system components like the Master File Table (MFT). This malware leverages sophisticated bootkit mechanisms, including a dual-component structure with a bootloader and installer, which can manipulate encryption status flags, display deceptive disk repair messages, and demand ransom payments in Bitcoin. Exploiting a patched vulnerability (CVE‑2024‑7344), HybridPetya can load malicious code through an unverified file (“cloak.dat”), effectively circumventing integrity checks and restoring control over the system’s boot process. While current telemetry indicates limited active deployment, the malware exemplifies increasingly prevalent risks of UEFI firmware attacks, highlighting a concerning trend where attackers leverage firmware vulnerabilities to encrypt data and demand ransom, significantly impacting organizational security by threatening data integrity, system availability, and operational continuity.

Fix & Mitigation

Prompt action in addressing the "New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit" is crucial to safeguard sensitive systems and prevent widespread disruption. Rapid remediation helps to close security gaps quickly, reducing the risk of data loss, financial damage, and reputational harm.

Mitigation Strategies

  • Update Firmware: Apply latest UEFI firmware patches from device manufacturers to fix vulnerabilities.
  • Secure Boot Enforcement: Ensure Secure Boot is enabled and properly configured to prevent unauthorized bootloaders.
  • Patch Operating Systems: Install all recommended security updates, especially those addressing CVE-2024-7344.
  • Implement Endpoint Security: Deploy advanced antivirus and anti-malware tools capable of detecting exploit behaviors.
  • Network Segmentation: Isolate critical systems to limit the spread of ransomware if a breach occurs.
  • Monitor and Alert: Set up continuous monitoring for unusual activity or system anomalies indicative of compromise.
  • User Awareness: Educate staff on phishing tactics and ransomware risks to reduce initial infection vectors.
  • Backup Strategies: Maintain regular, offline backups of essential data to facilitate recovery without capitulation.

Continue Your Cyber Journey

Discover cutting-edge developments in Emerging Tech and industry Insights.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.