HybridPetya Ransomware Bypasses UEFI Secure Boot

Security researchers at Eset have recently identified a new variant of malware reminiscent of the notorious Petya/NotPetya, which they have named “HybridPetya.” This insight was shared on Friday, emphasizing that, as of now, there is no telemetry indicating its deployment in the wild.

Unlike its predecessor, HybridPetya lacks the vigorous propagation properties that led NotPetya to inflict approximately $10 billion in damages globally back in 2017. However, it introduces a significant threat by targeting the secure boot feature of the Unified Extensible Firmware Interface (UEFI), allowing it to install malicious applications undetected. This capability places it among other UEFI bootkits like BlackLotus and Bootkitty, which attackers prize since they evade conventional antivirus solutions and can persist even after system reinstalls.

HybridPetya employs a similar attack methodology as its predecessors by encrypting the master file table, which oversees the file, directory, and metafile data for NTFS-formatted files on Windows systems. It shares visual elements with earlier strains but distinguishes itself by potentially allowing decryption of the locked files. Victims, upon their systems being compromised, receive ransom demands for $1,000 in Bitcoin.

The discovery of HybridPetya began when Eset researchers located samples on Google’s VirusTotal back in February. Their investigation led them to an archive of bootkit variants, confirming a connection to the HybridPetya toolkit. Eset provided details on a specific flaw, identified as CVE-2024-7344, in a Microsoft-signed UEFI application known as reloader.efi. Microsoft had revoked approvals for this application earlier in January due to its vulnerabilities.

Eset elaborated on the working mechanism of HybridPetya. The malware utilizes a file called cloak.dat, which contains the UEFI application. During system boot, if the reloader.efi binary executes, it ineffectively searches for the cloak.dat file on the EFI System Partition and loads the embedded application without performing integrity checks, thus circumventing UEFI Secure Boot protocols.

The threat posed by HybridPetya signals an advancing trend in the sophistication of cyber threats, particularly concerning UEFI bootkits. While machines equipped with patches against CVE-2024-7344 remain secure against this variant, the existence of such a malware type illustrates a need for heightened vigilance among business owners regarding their cybersecurity measures.

In examining its potential attack vectors through the lens of the MITRE ATT&CK framework, initial access takes precedence, as attackers likely exploited UEFI vulnerabilities to gain footholds on systems. Furthermore, persistence becomes crucial once they embed their malicious code within the firmware. Given the landscape of evolving threats, it remains imperative for organizations to stay informed and responsive to these emerging cybersecurity challenges.