HybridPetya Ransomware Bypasses UEFI Secure Boot, Echoing Petya/NotPetya Attacks

Researchers at ESET have discovered a new ransomware variant named HybridPetya on the VirusTotal platform. This malware bears similarities to the notorious Petya and NotPetya attacks of 2016–2017 but introduces advanced capabilities, including the ability to compromise UEFI-based systems and exploit the vulnerability CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems. Notably, HybridPetya infects EFI partitions, enabling persistence even after operating system reinstallation.

The exploitation of CVE-2024-7344 is particularly concerning as it undermines the Secure Boot mechanism, a critical security feature designed to prevent unauthorized code execution during the boot process. By infecting the EFI partition, HybridPetya ensures its persistence, making traditional remediation methods ineffective. This tactic highlights a growing trend among malware developers to target firmware and boot processes, which are inherently more challenging to detect and eradicate.

The historical context of Petya and NotPetya underscores the potential severity of HybridPetya. The original Petya attacks were devastating due to their combination of ransomware and wiper functionalities, causing widespread disruption. HybridPetya's ability to persist through OS reinstalls and bypass Secure Boot suggests that it could have a similarly significant impact if it becomes widespread.

For cybersecurity professionals, the emergence of HybridPetya underscores the need for robust firmware security measures. Key actions include ensuring systems are updated to patch vulnerabilities like CVE-2024-7344, monitoring EFI partitions for signs of compromise, and implementing additional security layers to detect and prevent firmware-level attacks. This development also highlights the importance of continuous monitoring and threat intelligence to stay ahead of evolving malware tactics.