HybridPetya is a new ransomware strain that mimics traits of Petya/NotPetya but adds the ability to bypass UEFI Secure Boot using a now-patched vulnerability (CVE-2024-7344). It encrypts the Master File Table (MFT) on NTFS partitions via a malicious EFI application installed on the EFI System Partition. The malware includes a bootkit and installer: the bootkit manages encryption flags (ready / encrypted / decrypted) and shows a fake CHKDSK message to mislead users, while actual encryption proceeds in the background.

The ransomware demands a $1,000 Bitcoin ransom. Victims get the option to enter a key to decrypt, which triggers a process restoring bootloader files that were backed up during installation. The victim’s decryption is tracked via a counter file that keeps tabs on which disk clusters have been encrypted. Though the malicious software appears technically capable, there is no evidence yet of HybridPetya being used in real-world attacks—it may be a proof of concept.

‍

Source: https://thehackernews.com/2025/09/new-hybridpetya-ransomware-bypasses.html