Cybersecurity firm ESET has uncovered a new ransomware strain called HybridPetya, which blends traits of the infamous Petya/NotPetya malware with a newly discovered ability to bypass UEFI Secure Boot via the CVE-2024-7344 vulnerability. According to ESET, the malware was first spotted on VirusTotal in February 2025. Unlike its destructive predecessors, HybridPetya encrypts the Master File Table (MFT) on NTFS drives and installs a malicious EFI application into the EFI System Partition, enabling it to run early during system boot. The Secure Boot bypass is achieved via a specially-crafted file, cloak.dat, loaded through a vulnerable Microsoft-signed UEFI application (“reloader.efi” / “bootmgfw.efi”) in Howyar’s software, which ignores integrity checks. ESET notes there’s no evidence yet of widespread use in the wild—it may still be a proof-of-concept or early test strain—but its capabilities pose serious risk, especially for outdated or unpatched systems.
Sources: Hacker News, National Vulnerability Database, ESET
Key Takeaways
– HybridPetya represents a dangerous evolution in ransomware, combining the tactics of older strains (like Petya/NotPetya) with bootkit behavior and UEFI Secure Boot bypass.
– The vulnerability CVE-2024-7344 allows execution of unsigned or unverified code from a cloak.dat file via a signed UEFI application, undermining Secure Boot protections on affected systems.
– So far, no major attacks using HybridPetya have been confirmed, but the discovery underscores urgency for organizations to patch vulnerable UEFI components, revoke unsafe binaries, and ensure Secure Boot configurations are solid.
In-Depth
HybridPetya emerges at a precarious intersection of malware sophistication and exploitation of system firmware vulnerabilities. Discovered by ESET researchers in mid‐2025, this strain draws inspiration from Petya and NotPetya—widespread ransomware and wiper attacks that made headlines for their damage and high-profile targets—but adds a modern twist: the ability to compromise UEFI systems that employ Secure Boot protections. Secure Boot, intended to ensure that only trusted, signed code executes during system startup, is one of the foundational layers of modern OS security. By exploiting CVE-2024-7344—a vulnerability in a Microsoft-signed UEFI application (the “reloader.efi” component from Howyar contributed software)—HybridPetya manages to sneak a malicious UEFI bootkit into a machine earlier in the boot chain, circumventing Secure Boot’s integrity checks via a malformed cloak.dat file. This allows it to load with elevated privileges and encrypt key metadata structures such as the Master File Table (MFT) on NTFS partitions.
The structure of HybridPetya reveals a two-part tool: an installer that places a malicious EFI application in the EFI System Partition, and a bootkit component that manages state (ready to encrypt, already encrypted, or decrypted) and tracks progress via files like verify, counter, and cloak.dat. The malware even displays a fake CHKDSK screen to fool users into thinking a disk check is underway while encryption proceeds in secret. One variant demands a ransom of US$1,000 in Bitcoin. Though ESET’s telemetry indicates no confirmed real-world deployment yet—suggesting HybridPetya might still be a proof-of-concept or in early testing—its capabilities are especially concerning, because many systems remain unpatched, or still trust the vulnerable UEFI components.
The risk for organizations and individuals is clear: firmware-level vulnerabilities are harder to detect and remediate; Secure Boot bypasses enable early compromise before many security products can even load. To defend, institutions should promptly check for UEFI firmware updates, ensure that vulnerable binaries like reloader.efi have been replaced or revoked, audit Secure Boot configuration (including trust databases), and maintain backups of critical data. Even though we don’t have reports yet of HybridPetya in the wild at scale, its discovery is a warning shot: attackers continue to evolve, and legacy or poorly maintained systems increasingly represent weak links in the cybersecurity chain.