Researchers at ESET Research have identified a new malware dubbed HybridPetya, a dangerous ransomware reminiscent of the devastating Petya/NotPetya that caused estimated losses exceeding $10 billion in 2017. The novelty: this variant can compromise modern UEFI systems and exploit vulnerabilities to bypass Secure Boot, one of the last lines of defense for secure booting on current devices.
A threat combining the worst of Petya and NotPetya
The first signs of HybridPetya appeared on VirusTotal in February 2025, uploaded from Poland. According to ESET researcher Martin Smolár, the files—named like notpetyanew.exe—showed similarities to both the original Petya and NotPetya.
The key difference is that HybridPetya does allow decryption of files upon attacker demand, unlike NotPetya, which was designed as a wipe-and-brick malware with no recovery option. This makes it more akin to a classic ransomware model, though it retains the aggressive and destructive techniques characteristic of its “older brother.”
The malware encrypts the Master File Table (MFT) of NTFS file systems—a critical file containing information about all files on a disk. Once encrypted, the OS cannot access data, rendering the device completely inoperable.
The leap to UEFI systems
What makes HybridPetya a distinct threat is its ability to compromise modern computers by installing a malicious EFI application on the EFI System Partition (ESP).
This bootkit allows encryption to occur early in startup, before the OS loads, disabling Windows security mechanisms and making recovery efforts much more difficult.
One analyzed sample also included a manipulated cloak.dat file exploiting the CVE-2024-7344 vulnerability—a flaw in Secure Boot disclosed in early 2025. Thanks to this exploit, HybridPetya can bypass secure boot on unpatched systems, opening the door to attacks even on modern devices thought to be protected.
Proof of concept or imminent threat?
Currently, ESET telemetry has not detected any active campaigns of HybridPetya. This suggests it could be a proof of concept created by researchers or cybercriminal groups during testing phases.
Unlike NotPetya, HybridPetya still lacks mass network propagation mechanisms, limiting its reach. However, its incorporation of advanced UEFI and Secure Boot techniques indicates clear interest from attackers to develop more sophisticated ransomware for future scenarios.
Implications and risks
The discovery of HybridPetya highlights several critical points for current cybersecurity:
- Evolution of ransomware: the trend toward targeting boot components and firmware signifies a qualitative leap in detection and mitigation challenges.
- Patch obsolescence: systems that haven’t applied updates addressing CVE-2024-7344 are at immediate risk.
- Targeted attacks: although not yet seen in mass campaigns, HybridPetya could be employed in surgical strikes against critical infrastructure or government entities.
Frequently Asked Questions
What is HybridPetya?
It is a new ransomware discovered by ESET in 2025 that combines features of Petya and NotPetya, with added capabilities to compromise UEFI systems and bypass Secure Boot protections.
How does it affect current systems?
It installs a bootkit on the EFI partition and encrypts the Master File Table (MFT) of NTFS disks, blocking file access and rendering the OS unusable.
Is it already active in campaigns?
There’s no evidence of widespread deployment yet. The samples detected seem to be tests or preparations for future attacks.
How can I protect against HybridPetya?
Applying security updates for UEFI vulnerabilities like CVE-2024-7344, maintaining offline backups, and strengthening boot security policies are essential preventative measures.