Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass

SUMMARY :

HybridPetya, a new ransomware discovered on VirusTotal, combines features of Petya and NotPetya while adding UEFI system compatibility. It encrypts the Master File Table on NTFS partitions and can compromise UEFI-based systems by installing a malicious EFI application. A variant exploits CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems. Unlike NotPetya, HybridPetya allows key recovery, functioning as regular ransomware. While not yet observed in the wild, its technical capabilities, including MFT encryption and Secure Boot bypass, make it noteworthy for future threat monitoring.

OPENCTI LABELS :

ransomware,bypass,uefi,petya,mft encryption,cve-2024-7344,hybridpetya,secure boot,notpetya


AI COMMENTARY :

1. Introduction HybridPetya has emerged as a formidable addition to the ransomware landscape, combining the destructive traits of Petya and NotPetya with novel capabilities targeting UEFI-based systems. First identified on VirusTotal, this new threat actor has taken a modular approach to its design, enabling both MFT encryption on NTFS partitions and the deployment of a malicious EFI application. As organizations continue to bolster defenses around master boot records, the ability of HybridPetya to operate at the UEFI level underscores a growing trend in ransomware evolution.

2. HybridPetya’s Core Capabilities At its core, HybridPetya performs Master File Table (MFT) encryption, rendering NTFS partitions inaccessible to the operating system. By encrypting the MFT rather than individual files, the ransomware ensures a rapid and comprehensive denial of service. Unlike previous strains that solely targeted file systems, HybridPetya also introduces a persistent UEFI component. This dual attack vector broadens the potential impact, allowing the malware to both lock down user data and establish a foothold within firmware, surviving typical OS reinstallation efforts.

3. UEFI Secure Boot Bypass Mechanics The most alarming feature of HybridPetya is its ability to subvert UEFI Secure Boot. Secure Boot was designed to verify the integrity of bootloaders and EFI applications, preventing unauthorized code execution during system startup. HybridPetya circumvents this security measure by injecting a malicious EFI binary into the system’s firmware. Once the firmware acknowledges the malicious binary as legitimate, it will execute the ransomware before the OS kernel loads, effectively bypassing traditional endpoint protection solutions.

4. CVE-2024-7344 Exploitation A specific variant of HybridPetya takes advantage of CVE-2024-7344, a vulnerability affecting outdated UEFI implementations. By exploiting inadequate signature verification logic, HybridPetya can install its malicious EFI application even on systems that nominally support Secure Boot. This vulnerability, once patched in newer firmware releases, remains a critical risk for organizations that have not applied the necessary updates. It highlights the importance of firmware-level patch management in maintaining overall cybersecurity posture.

5. Comparison with Petya and NotPetya While HybridPetya borrows heavily from the encryption routines of Petya and NotPetya, it diverges in key recovery functionality. NotPetya was deployed purely as a wiper, eliminating any hope of decrypting data. HybridPetya, by contrast, retains a legitimate ransom component, generating unique decryption keys for victims who comply with payment demands. This shift back toward conventional ransomware economics suggests that threat actors are testing the resilience of organizations’ backup strategies versus the value of data extortion.

6. Implications for Future Threat Monitoring The discovery of HybridPetya underscores the ongoing arms race between malware developers and security practitioners. The integration of UEFI persistence and Secure Boot bypass techniques signals that future ransomware campaigns will likely delve deeper into firmware-level exploitation. Threat intelligence teams must therefore expand their telemetry to include firmware integrity checks and collaborate closely with hardware vendors to identify anomalous EFI applications.

7. Mitigation Strategies and Recommendations Organizations can defend against HybridPetya by implementing a multi-layered strategy. Keeping UEFI firmware updated to patch CVE-2024-7344 is paramount. Enabling TPM-based Secure Boot with measured boot features can also limit unauthorized EFI execution. Regular backups of critical data, with offline or air-gapped storage, remain the most reliable safeguard against MFT encryption attacks. Finally, conducting firmware integrity scans and leveraging endpoint detection solutions that monitor pre-boot environments will help detect malicious EFI components early.

8. Conclusion HybridPetya represents a notable escalation in ransomware capabilities, combining MFT encryption and UEFI Secure Boot bypass into a single package. Its use of CVE-2024-7344 to compromise outdated firmware, coupled with conventional ransom-driven decryption options, makes it a hybrid in both name and function. As threat actors continue to innovate, organizations must adapt by reinforcing both software and firmware defenses to stay ahead in the ongoing battle against ransomware.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass