A just lately found ransomware pressure referred to as HybridPetya can bypass the UEFI Safe Boot characteristic to put in a malicious software on the EFI System Partition.
HybridPetya seems impressed by the harmful Petya/NotPetya malware that encrypted computer systems and prevented Home windows from booting in assaults in 2016 and 2017 however didn’t present a restoration possibility.
Researchers at cybersecurity firm ESET discovered a pattern of HybridPetya on VirusTotal. They word that this can be a analysis mission, a proof-of-concept, or an early model of a cybercrime device nonetheless underneath restricted testing.
Nonetheless, ESET says that its presence is yet one more instance (together with BlackLotus, BootKitty, and Hyper-V Backdoor) that UEFI bootkits with Safe Bypass performance are an actual menace.
HybridPetya incorporates traits from each Petya and NotPetya, together with the visible type and assault chain of those older malware strains.
Nevertheless, the developer added new issues like set up into the EFI System Partition and the power to bypass Safe Boot by exploiting the CVE-2024-7344 vulnerability.
ESET found the flaw in January this 12 months, The problem consists in Microsoft-signed purposes that could possibly be exploited to deploy bootkits even with Safe Boot safety energetic on the goal.
Supply: ESET
Upon launch, HybridPetya determines if the host makes use of UEFI with GPT partitioning and drops a malicious bootkit into the EFI System partition consisting of a number of recordsdata.
These embrace configuration and validation recordsdata, a modified bootloader, a fallback UEFI bootloader, an exploit payload container, and a standing file that tracks the encryption progress.
ESET lists the next recordsdata used throughout analyzed variants of HybridPetya:
- EFIMicrosoftBootconfig (encryption flag + key + nonce + sufferer ID)
- EFIMicrosoftBootverify (used to validate right decryption key)
- EFIMicrosoftBootcounter (progress tracker for encrypted clusters)
- EFIMicrosoftBootbootmgfw.efi.previous (backup of unique bootloader)
- EFIMicrosoftBootcloak.dat (incorporates XORed bootkit in Safe Boot bypass variant)
Additionally, the malware replaces EFIMicrosoftBootbootmgfw.efi with the susceptible ‘reloader.efi,’ and removes EFIBootbootx64.efi.
The unique Home windows bootloader can also be saved to be activated within the case of profitable restoration, that means that the sufferer paid the ransom.
As soon as deployed, HybridPetya triggers a BSOD displaying a bogus error, as Petya did, and forces a system reboot, permitting the malicious bootkit to execute upon system boot.
At this step, the ransomware encrypts all MFT clusters utilizing a Salsa20 key and nonce extracted from the config file whereas displaying a faux CHKDSK message, like NotPetya.
Supply: ESET
As soon as the encryption completes, one other reboot is triggered and the sufferer is served a ransom word throughout system boot, demanding a Bitcoin cost of $1,000.
Supply: ESET
In alternate, the sufferer is supplied a 32-character key they will enter on the ransom word display screen, which restores the unique bootloader, decrypts the clusters, and prompts the consumer to reboot.
Although HybridPetya has not been noticed in any actual assaults within the wild, comparable tasks might select to weaponize the PoC and use it in broad campaigns concentrating on unpatched Home windows methods at any time.
Indicators of compromise to assist defend towards this menace have been made out there on this GitHub repository.
Microsoft fastened CVE-2024-7344 with the January 2025 Patch Tuesday, so Home windows methods which have utilized this or later safety updates are shielded from HybridPetya.
One other strong apply towards ransomware is to maintain offline backups of your most necessary information, permitting free and simple system restoration.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration traits.
