Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass

SUMMARY :

A new ransomware called HybridPetya has been discovered, combining features of Petya and NotPetya with advanced UEFI-based system capabilities. It encrypts the Master File Table on NTFS partitions and can install a malicious EFI application to compromise UEFI systems. One variant exploits CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems. While not yet observed in the wild, HybridPetya demonstrates sophisticated techniques including UEFI bootkit functionality and Secure Boot bypass. It may be a proof-of-concept but highlights the growing trend of UEFI-based threats. The malware allows key reconstruction, potentially functioning as regular ransomware rather than being purely destructive like NotPetya.

OPENCTI LABELS :

ransomware,uefi,petya,bootkit,mft encryption,cve-2024-7344,hybridpetya,notpetya,petrwrap,diskcoder.c,secure boot bypass,expetr,goldeneye,nyetya


AI COMMENTARY :

1. Introduction to HybridPetya HybridPetya is a newly identified ransomware threat that merges the disruptive capabilities of Petya and NotPetya with cutting-edge UEFI system manipulation. This malware strain targets the Master File Table (MFT) on NTFS partitions and incorporates a malicious EFI application to compromise both legacy and modern systems. Although HybridPetya has not yet been observed in active campaigns, its advanced bootkit functionality sets a worrying precedent for future UEFI-based infections.

2. Tracing Ancestry: Petya, NotPetya, and Beyond Drawing inspiration from classic diskcoders such as Petya and its destructive sibling NotPetya, HybridPetya inherits core techniques like MFT encryption and extortion routines reminiscent of PetrWrap and GoldenEye variants. Where NotPetya operated as a wiper under the guise of ransomware, HybridPetya offers genuine key reconstruction capabilities, hinting at its potential to evolve into a fully functional extortionware rather than a mere destructive payload like Nyetya or ExPetr.

3. UEFI Bootkit Mechanisms At the heart of HybridPetya’s innovation lies its UEFI bootkit component. Upon infection, the malware installs a rogue EFI application into the system firmware partitions. This malicious payload launches before the operating system loads, giving attackers persistent, low-level control. The integration of bootkit architecture into ransomware underlines an alarming shift in threat actor methodologies toward firmware-based attacks.

4. Secure Boot Bypass via CVE-2024-7344 One variant of HybridPetya exploits CVE-2024-7344, allowing it to bypass UEFI Secure Boot protections on unpatched or outdated firmware implementations. By chaining vulnerabilities in the Secure Boot verification process, the malware can introduce its EFI component without triggering security alerts. This secure boot bypass capability elevates HybridPetya beyond typical bootkits, marking it as one of the first ransomware families to weaponize UEFI flaws so directly.

5. Proof-of-Concept or Emerging Menace? Security researchers regard HybridPetya largely as a proof-of-concept for now, yet its sophisticated features underscore a broader trend: the weaponization of firmware and boot loaders. Even without active in-the-wild incidents, the malware’s design demonstrates how threat actors might combine MFT encryption techniques from Diskcoder.C with UEFI compromise strategies to bypass traditional defense mechanisms.

6. Implications for Defense and Detection HybridPetya’s arrival signals a need for organizations to strengthen firmware security and patch management. Monitoring for unauthorized EFI applications, enabling secure boot enforcement on up-to-date UEFI implementations, and employing endpoint detection tools attuned to bootkit behaviors are critical. As ransomware continues to evolve, the convergence of bootkit and disk encryption tactics exemplified by HybridPetya demands a proactive, layered defense posture.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass