The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

HybridPetya

Sep 22, 2025 2:40:03 PM / by The Hivemind

HYBRIDPETYAVerticals Targeted: Not specified
Regions Targeted: None
Related Families: Petya, NotPetya, NotPetyaAgain, RedPetyaOpenSSL

Executive Summary

HybridPetya is a ransomware variant resembling Petya/NotPetya, capable of compromising UEFI-based systems and exploiting CVE-2024-7344 to bypass UEFI Secure Boot on outdated systems. While not observed in active campaigns, its advanced capabilities warrant close monitoring by security teams.

Key Takeaways

  • HybridPetya, discovered on VirusTotal in February 2025, mimics Petya/NotPetya by encrypting the Master File Table (MFT) but introduces UEFI compatibility.  
  • A variant exploits CVE-2024-7344, using a malicious cloak.dat file to bypass UEFI Secure Boot on systems without Microsoft’s January 2025 dbx update.  
  • Unlike NotPetya, HybridPetya allows decryption key recovery, functioning as traditional ransomware rather than a purely destructive tool.  
  • The malware includes a UEFI bootkit that installs a malicious EFI application to encrypt MFT on NTFS partitions, displaying fake CHKDSK messages to mask its activity.

What is HybridPetya?

In February 2025, ESET Research uncovered HybridPetya, a ransomware variant uploaded to another malware scanning service from Poland, echoing the destructive Petya/NotPetya malware of 2016–2017. Named for its shared traits with both predecessors, HybridPetya distinguishes itself with UEFI system compatibility and a novel UEFI Secure Boot bypass exploiting CVE-2024-7344. Although ESET telemetry shows no active deployment in the wild, its technical sophistication demands attention from malware analysts and security leaders.

HybridPetya targets the Master File Table (MFT) on NTFS-formatted partitions, encrypting critical metadata to render files inaccessible, a hallmark of Petya/NotPetya. Unlike NotPetya, which was designed for destruction with unrecoverable keys, HybridPetya’s key generation algorithm, inspired by the RedPetyaOpenSSL proof-of-concept, allows operators to reconstruct decryption keys from victims’ personal installation keys, aligning it closer to traditional ransomware.

A key innovation is its UEFI bootkit, which installs a malicious EFI application on the EFI System Partition. This bootkit supports both legacy and UEFI systems, checking an encryption flag in the `\EFI\Microsoft\Boot\config` file to determine its actions: encryption (flag 0), displaying a ransom note (flag 1), or decryption (flag 2). During encryption, it uses the Salsa20 algorithm with a 32-byte key and 8-byte nonce, targeting MFT on NTFS partitions identified by their signature. A fake CHKDSK message masks the encryption process, while a counter file tracks encrypted disk clusters.

The UEFI Secure Boot bypass variant leverages CVE-2024-7344 through a specially crafted `cloak.dat` file. This file, loaded by a vulnerable Microsoft-signed `reloader.efi`, bypasses integrity checks to execute the malicious bootkit on systems without Microsoft’s January 2025 dbx update. The archive included encrypted partition data and a backup of the legitimate bootloader, indicating prior encryption.

HybridPetya’s installer targets UEFI systems by detecting GPT partitions and the EFI System Partition. It drops configuration files, creates a verification array for key validation, and backs up the legitimate bootloader before triggering a system crash via the `NtRaiseHardError` API, forcing a reboot to execute the bootkit. The decryption process, initiated after a valid 32-character key is entered, reverses MFT encryption and restores legitimate bootloaders.

IOCs

PolySwarm has multiple samples of HybridPetya.

 

65f77a21080cb4f151d0df6142a0eb039f6ecdc73346e7eece0f56408b8f4c27

c25e5f72850f5571e312043ad9bc3542e3dfa258d3e913b23900d3e46b998437

b949e95160734c2240ed6f330a5586e2a890264ae207df2b2f7209e361b1d239

ccdad8f0f97fc54d7d568414364887dcbe57299257305994ea187c43a7c040a8

01b57ae9cb77780f0fa2bb06f2eb78bcba188e824811e21f4b2b00d7f6fd7c1d

f3cc228437d4bcad020da7c4c224d39b77bb966fade73f20b121d78bcc66ef0a

c75a0c76dd7cd7f364421b9b13bd2d7c4a0778bfc2a4e85e54283d75e91ae65c

20fbf95c129365c6ec6c0bf20c8fd6a294bd8321f19ddaab96d522bf7ac333e9

 

You can use the following CLI command to search for all HybridPetya samples in our portal:

$ polyswarm link list -f HybridPetya

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Ransomware, Malware Analysis, Petya, NotPetya, HybridPetya, UEFI bootkit, CVE-2024-7344, Secure Boot bypass, Master File Table

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More