Slovakian cybersecurity company ESET has uncovered a new dangerous ransomware strain dubbed “HybridPetya” that can bypass UEFI Secure Boot, one of Windows’ most critical protections against malicious software. The finding has sparked concerns that ransomware developers are moving to target systems at the deepest possible level: the boot process itself.
The malware takes its inspiration from the infamous Petya and NotPetya attacks that wreaked havoc in 2016 and 2017, causing billions of dollars in damages, crippling banks, shipping companies, and government agencies around the world. But unlike its predecessors, HybridPetya has been upgraded to compromise modern systems by targeting the EFI System Partition during the earliest stage of start-up.
How HybridPetya Works
HybridPetya is part ransomware, part bootkit. Once installed, the malware replaces legitimate Windows boot files with a malicious loader, forcing the computer to reboot. During start-up, the malware secretly encrypts the Master File Table (MFT) on NTFS partitions — the critical database that keeps track of every file on the system. Instead of starting normally, the malware displays a fake disk-checking screen (CHKDSK), a tactic borrowed directly from the original Petya malware.
When the process is complete, users are greeted with a ransom note demanding $1,000 in Bitcoin in exchange for a decryption key. Unlike NotPetya, which was considered purely more destructive than profitable because it offered no way to recover data, HybridPetya appears to allow decryption for restoration if victims pay.
Exploiting A Known Flaw
The real danger lies in HybridPetya’s ability to bypass Secure Boot, a feature designed to block untrusted software from loading before Windows starts. According to ESET researchers, the ransomware achieves this by exploiting a known flaw, CVE-2024-7344, in a Microsoft-signed UEFI application on outdated systems. Although Microsoft patched the flaw in January 2025, unpatched systems remain vulnerable.
“Late in July 2025, we encountered suspicious ransomware samples under various filenames, including notpetyanew.exe and other similar ones, suggesting a connection with the infamously destructive malware that struck Ukraine and many other countries back in 2017,” says ESET researcher Martin Smolar, who made the discovery, wrote in a news release.
“The NotPetya attack is believed to be the most destructive cyberattack in history, with more than $10 billion in total damages. Due to the shared characteristics of the newly discovered samples with both Petya and NotPetya, we named this new malware HybridPetya.”
Smolar warned that HybridPetya is now at least the fourth publicly known example of a real or proof-of-concept UEFI bootkit with UEFI Secure Boot bypass functionality, joining earlier threats like BlackLotus (exploiting CVE?2022?21894), BootKitty (exploiting LogoFail), and the Hyper-V Backdoor PoC (exploiting CVE?2020?26200).
“This shows that Secure Boot bypasses are not just possible – they’re becoming more common and attractive to both researchers and attackers,” he concluded.
Not In the Wild — Yet
At this stage, ESET has found no evidence of HybridPetya being deployed in real-world attacks. The only known samples were uploaded to VirusTotal earlier this year from Poland, suggesting the malware could be a proof-of-concept (POC) or an early test by cybercriminals. Unlike NotPetya, it does not spread automatically across networks.
Still, security experts caution it’s a major warning shot that demonstrates just how far ransomware is evolving toward more advanced techniques, capable of undermining even core system protections.
What You Can Do
Experts stress that the best defense is to stay updated. Users who have installed Microsoft’s January 2025 updates are protected against HybridPetya’s Secure Boot bypass..
Security teams are also advised to:
- Keep Windows fully updated to ensure Secure Boot protections remain effective.
- Maintain offline backups of critical files, ensuring data can be restored without paying ransoms.
- Monitor for Indicators of Compromise (IoCs) published by ESET on GitHub.
- Regularly verify that Secure Boot is enabled and functioning as intended.
For now, HybridPetya is more of a warning than an immediate threat. But its existence is a stark reminder: the boot process itself is now a battleground in the fight against ransomware.
