HybridPetya Ransomware Alarmingly Sneaks Past BIOS Secure Boot To Install Malware

UEFI secure boot was designed to block malicious code from sneaking into your PC's BIOS boot-up process. However, a newly discovered ransomware dubbed HybridPetya somehow found a way to circumvent this. Cybersecurity firm ESET discovered the threat and revealed that it had not been observed in any active attacks just yet.

Here's how it operates. HybridPetya can recognize when a system's hard drive is set up with UEFI. Normally, UEFI Secure Boot would block tampering by confirming the certificates of every booting software, but this ransomware exploits the CVE-2024-7344 vulnerability to escape the check. After bypassing Secure Boot, it goes straight to the boot partition, where it can change, remove, or insert files. By doing so, it gains control over the system's startup process and then locks and encrypts the rest of the drive's contents.

At this stage, a user can no longer access their PC files, so HybridPetya displays a message confirming their files have been encrypted and requests $1000 worth of Bitcoin as a ransom. It also asks the victim to send their Bitcoin wallet ID and a displayed installation key to redeem their files.

This attack process is similar to past malware infections like Petya and NotPetya, which malicious actors unleashed between 2016 and 2017. However, unlike HybridPetya, Petya and NotPetya were designed to destroy data rather than to demand a ransom for file recovery. According to ESET, HybridPetya's discovery confirms that UEFI bootkits featuring Secure Bypass functionality pose a real issue.

On a more positive note, the CVE-2024-7344 vulnerability, which the HybridPetya exploits, was fixed in January 2025's Patch Tuesday. So if your Windows PC is up-to-date, you should be safe from this ransomware.