HybridPetya (ransomware virus)

History

2025: The Emergence of the Ransomware Virus

Experts cyber security ESET have discovered a modified version virus extortioner called HybridPetya that can bypass the UEFI Secure Boot mechanism on operating systems Windows and install malicious code into the system partition. The new program requires a ransom of $1,000 to decrypt blocked data and exploits a fixed Microsoft CVE-2024-7344 vulnerability. The detection of the threat in ESET was told in mid-September 2025.

The first HybridPetya samples were uploaded to the VirusTotal platform in February 2025. The malware is based on the infamous Petya and NotPetya, which were actively distributed in 2016-2017 and caused significant damage to computer systems around the world.

𝓲

Фото: Freepik

The main difference between the new version was the ability to overcome the protection of the unified extensible firmware interface, a more modern BIOS alternative. UEFI supports Secure Boot, which prevents unsigned programs from running at the boot level of the operating system.

HybridPetya exploits a CVE-2024-7344 vulnerability in Microsoft software that bypasses UEFI security mechanisms. Microsoft developers fixed this vulnerability in an update released in January 2025, but not all systems received the appropriate fixes.

After launch, the malware determines whether the computer uses UEFI with the GUID partition table, and places the malicious code in the EFI system partition. The virus includes configuration files, a modified bootloader, a backup UEFI bootloader, an exploit container, and an encryption process tracking file.

The attack process begins with calling the blue screen of death - a critical Windows error that forces the system to reboot. The next time the operating system starts, the malicious code installed by HybridPetya in the system partitions of the computer is activated.^[1]

Notes