A new ransomware strain called HybridPetya has been discovered by ESET researchers to exploit a patched vulnerability in Windows systems. This is not the first time a bootkit has bypassed UEFI Secure Boot, and it comes as more proof that these bypasses are not just urban legends.
The malware uses the CVE-2024-7344 vulnerability, which was previously disclosed and patched by Microsoft. However, HybridPetya can still exploit this vulnerability to encrypt files on NTFS-formatted partitions and display a fake “CHKDSK” message to indicate disk encryption is underway.
Unlike NotPetya, HybridPetya functions as ransomware, allowing the malware operator to reconstruct the decryption key from the personal installation key. The algorithm used by HybridPetya is different from its predecessors, making it noteworthy for future threat monitoring.
The discovery of HybridPetya comes after three other documented Secure Boot bypasses, including BlackLotus and Bootkitty. While HybridPetya does not appear to be actively spreading, its technical capabilities make it a notable example of how bootkits can hijack systems before the operating system loads.
Note: I simplified the text by removing complex concepts and jargon, making it easier for non-experts to understand.
Source: https://www.theregister.com/2025/09/12/hopefully_just_a_poc_hybridpetya