CYBERSECURITY ALERT

New ‘HybridPetya’ Ransomware Can Bypass UEFI Secure Boot

Published on September 15, 2025 by Aurzon- Desk

Slovakian cybersecurity company ESET has uncovered a new dangerous ransomware strain dubbed “HybridPetya” that can bypass UEFI Secure Boot, one of Windows’ most critical protections against malicious software. The finding has sparked concerns that ransomware developers are moving to target systems at the deepest possible level: the boot process itself.

Conceptual image of a UEFI Secure Boot being bypassed by malware

The malware takes its inspiration from the infamous Petya and NotPetya attacks that wreaked havoc in 2016 and 2017, causing billions of dollars in damages and crippling critical infrastructure worldwide. But unlike its predecessors, HybridPetya has been upgraded to compromise modern systems by targeting the EFI System Partition during the earliest stage of start-up.

How HybridPetya Works

HybridPetya is part ransomware, part bootkit. Once installed, the malware replaces legitimate Windows boot files with a malicious loader, forcing the computer to reboot. During start-up, the malware secretly encrypts the Master File Table (MFT) on NTFS partitions — the critical database that keeps track of every file on the system. Instead of starting normally, the malware displays a fake disk-checking screen (CHKDSK), a tactic borrowed directly from the original Petya malware.

When the process is complete, users are greeted with a ransom note demanding $1,000 in Bitcoin. Unlike the purely destructive NotPetya, HybridPetya appears to allow for data restoration if victims pay.

Exploiting A Known Flaw to Bypass Secure Boot

The real danger lies in HybridPetya’s ability to bypass Secure Boot, a feature designed to block untrusted software from loading before Windows starts. According to ESET researchers, the ransomware achieves this by exploiting a known flaw, CVE-2024-7344, in a Microsoft-signed UEFI application on outdated systems. Although Microsoft patched the flaw in January 2025, systems that have not been updated remain vulnerable.

"The NotPetya attack is believed to be the most destructive cyberattack in history... Due to the shared characteristics of the newly discovered samples with both Petya and NotPetya, we named this new malware HybridPetya." — Martin Smolar, ESET Researcher

Smolar warned that this is at least the fourth publicly known bootkit with Secure Boot bypass functionality, joining threats like BlackLotus and BootKitty. "This shows that Secure Boot bypasses are not just possible – they’re becoming more common and attractive to both researchers and attackers," he concluded.

Not In the Wild — Yet

At this stage, ESET has found no evidence of HybridPetya being deployed in real-world attacks. The only known samples were uploaded to VirusTotal earlier this year from Poland, suggesting the malware could be a proof-of-concept (POC) or an early test. Still, security experts caution it’s a major warning shot that demonstrates just how far ransomware is evolving.

How to Protect Your Business in India

Experts stress that the best defense is to stay updated. Businesses in Chandigarh and across India who have installed Microsoft’s January 2025 updates are protected against this specific bypass. Security teams are also advised to:

  • Keep Windows and all software fully updated.
  • Maintain offline backups of all critical business data.
  • Monitor for Indicators of Compromise (IoCs) published by security firms.
  • Ensure Secure Boot is enabled in the BIOS/UEFI settings.

For now, HybridPetya is more of a warning than an immediate threat. But its existence is a stark reminder: the boot process itself is now a battleground in the fight against ransomware.