Cybersecurity researchers have identified a new ransomware strain, dubbed HybridPetya, that mirrors the notorious Petya/NotPetya family while adding the capability to bypass Secure Boot on modern UEFI systems. The Slovakian firm ESET said samples were uploaded to VirusTotal in February 2025, marking the first public sightings of the threat in the wild. Researchers note that HybridPetya encrypts the Master File Table (MFT) and installs a malicious EFI application on the EFI System Partition to control the attack from boot.
HybridPetya comprises a bootkit and an installer, with the bootkit existing in two variants. The bootkit maintains a small set of flags in the victim system, including 0 (ready for encryption), 1 (already encrypted), and 2 (ransom paid and disk decrypted). When the flag is 0, the malware encrypts the \\EFI\\Microsoft\\Boot\\verify file using Salsa20 with a configuration-defined key and nonce and creates a \\EFI\\Microsoft\\Boot\\counter file to track encrypted disk clusters. It also tampers with the CHKDSK message shown to victims to resemble routine disk-repair processes. The attacker’s code can thus present a believable narrative while carrying out encryption in the background.
In one observed campaign, the ransomware demanded a ransom of $1,000 in Bitcoin to restore access, directing victims to a wallet address described in the note: 34UNkKSGZZvf5AYbjkUa2yYYzw89ZLWxu2. The wallet has received funds during February – May 2025, though the article notes the wallet is currently empty. The ransom flow also includes a deception key as part of the payment interface, which, if entered correctly, triggers the decryption sequence that follows a successful payment.
Decryption proceeds by verifying the deception key, then reading the \\EFI\\Microsoft\\Boot\\counter file to determine how many clusters to decrypt. The bootkit then reconstructs legitimate bootloaders from backups created during installation, after which the system prompts a reboot. The attacker’s bootkit components can crash the system during deployment to ensure the bootkit runs on next startup, a technique that complicates recovery and forensics.
Security researchers also note that some HybridPetya variants leverage a remote code execution vulnerability in a UEFI loader to bypass Secure Boot. In particular, the threat group has been observed packaging a file named cloak.dat, which is XOR-encoded content loaded by a reloader.efi and loaded into memory in an unsafe manner that circumvents integrity checks, enabling Secure Boot bypass. Microsoft has since revoked the vulnerable binary as part of its Patch Tuesday updates. For a broader look at related Secure Boot bypass activity, see Microsoft’s revoked binary note (dbx_info_msft_1_14_25.json) and the related cybersecurity analyses that discuss adversaries’ use of bootkits and UEFI exploits. Hasherezade PoC video and Hasherezade’s X post provide additional context on PoC activity.
Researchers from ESET caution that HybridPetya represents at least the fourth publicly known example of a real or PoC UEFI bootkit capable of Secure Boot bypass. They note that while no confirmed widespread infections have been detected yet, the emergence of such tooling – paired with PoCs and public demonstrations – suggests Secure Boot bypass techniques are increasingly attractive to both researchers and threat actors.
Security researchers also point to external disclosures and related discussions that influence how these threats are discussed publicly. Notably, Hasherezade’s work and public PoCs are part of a broader conversation about UEFI-level threats, while the industry continues to monitor developments around how Secure Boot bypass techniques evolve and whether hybrids like HybridPetya will reach broader deployment.