A new ransomware strain called HybridPetya has been discovered by cybersecurity researchers. This malware is similar to the well-known Petya/NotPetya ransomware and has the ability to bypass the Secure Boot mechanism in UEFI systems. The samples of HybridPetya were first identified by Slovakian cybersecurity company ESET in February 2025.
HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions, which contains important metadata about all the files. Unlike its predecessor Petya/NotPetya, HybridPetya can compromise UEFI-based systems by installing a malicious EFI application onto the EFI System Partition.
The ransomware consists of two main components: a bootkit and an installer. The bootkit is responsible for encrypting files and displaying ransom notes to victims. It also updates the fake CHKDSK message on the victim’s screen to deceive them.
If the victim pays the ransom, they receive a decryption key to unlock their files. The bootkit then proceeds to decrypt the files and restore the legitimate bootloaders on the system.
HybridPetya exploits a vulnerability in the Howyar Reloader UEFI application to bypass Secure Boot. Microsoft has released a patch to address this vulnerability and revoked the old, vulnerable binary.
While HybridPetya has not been observed in the wild, it highlights the growing trend of ransomware targeting UEFI systems. Security researchers have identified several UEFI bootkits with Secure Boot bypass functionality, indicating that these attacks are becoming more common.
Overall, HybridPetya represents a new challenge in the evolving landscape of ransomware attacks, demonstrating the need for robust cybersecurity measures to protect against such threats.
