What You Need to Know About HybridPetya Ransomware

Researchers have identified a new ransomware strain, HybridPetya, which merges the encryption tactics of Petya with the destructive wiping capabilities of NotPetya. The malware leverages a patched vulnerability to bypass UEFI Secure Boot on unrevoked Windows systems.

This ransomware-bootkit combo malware was first discovered by ESET researchers in February 2025. They named this malware HybridPetya because it shares traits with the popular Petya and NotPetya malware strains.

Petya is a type of ransomware that encrypts the Master File Table (MFT) of a computer’s hard drive, which makes the entire system inaccessible. This malware targets the system’s boot process to prevent it from starting properly. NotPetya is another variant that was more destructive and acted like a wiper, which permanently damaged data rather than offering a way to recover it.

HybridPetya works by combining ransomware and bootkit techniques to infect vulnerable Windows systems. It targets the UEFI (Unified Extensible Firmware Interface) that controls the boot process of modern computers. It exploits a vulnerability in a UEFI application to bypass Secure Boot. Once inside, it installs a malicious bootloader and encrypts the Master File Table (MFT), which makes files inaccessible and locks users out of their systems.

HybridPetya can survive even if the operating system is reinstalled or the hard drive is wiped, because it resides in the firmware. HybridPetya also uses an exploit (CVE‑2024‑7344) in the Howyar Reloader UEFI bootloader to load unauthorized software during system startup. This allows it to bypass Secure Boot and deploy malicious UEFI payloads that infect the system at a firmware level.

Currently, ESET researchers have not found any evidence that the HybridPetya malware has been exploited in the wild. However, HybridPetya does not spread rapidly across networks like NotPetya.

“Although HybridPetya is not actively spreading, its technical capabilities — especially MFT encryption, UEFI system compatibility, and Secure Boot bypass — make it noteworthy for future threat monitoring,” ESET security researcher Martin Smolár explained. The malware “shows that Secure Boot bypasses are not just possible — they’re becoming more common and attractive to both researchers and attackers.”

To protect organizations against HybridPetya, it’s important to treat firmware and UEFI components as part of the software attack surface. Adminitrators should regularly audit and update UEFI firmware, ensure Secure Boot is properly configured, as well as disable or remove vulnerable third-party bootloaders like Howyar Reloader. Moreover, they should monitor for any unusual activity in the EFI System Partition and collect UEFI-related logs to detect early signs of compromise.

Additionally, organizations must implement strict access controls, use endpoint detection tools that can scan firmware, and follow security guidelines from trusted sources to reduce the risk. It’s also recommended to have a recovery plan that includes firmware reinstallation or hardware replacement in case of infection.