HybridPetya Ransomware Alarmingly Sneaks Past BIOS Secure Boot To Install Malware
Here's how it operates. HybridPetya can recognize when a system's hard drive is set up with UEFI. Normally, UEFI Secure Boot would block tampering by confirming the certificates of every booting software, but this ransomware exploits the CVE-2024-7344 vulnerability to escape the check. After bypassing Secure Boot, it goes straight to the boot partition, where it can change, remove, or insert files. By doing so, it gains control over the system's startup process and then locks and encrypts the rest of the drive's contents.

This attack process is similar to past malware infections like Petya and NotPetya, which malicious actors unleashed between 2016 and 2017. However, unlike HybridPetya, Petya and NotPetya were designed to destroy data rather than to demand a ransom for file recovery. According to ESET, HybridPetya's discovery confirms that UEFI bootkits featuring Secure Bypass functionality pose a real issue.
On a more positive note, the CVE-2024-7344 vulnerability, which the HybridPetya exploits, was fixed in January 2025's Patch Tuesday. So if your Windows PC is up-to-date, you should be safe from this ransomware.