Overview
- HybridPetya combines a UEFI bootkit and ransomware, installing a malicious EFI application on the EFI System Partition to encrypt the NTFS Master File Table and prevent normal startup.
- Select variants weaponize CVE‑2024‑7344 by abusing the Microsoft‑signed Howyar reloader.efi to load a crafted cloak.dat and bypass Secure Boot on systems without the revocation applied.
- Microsoft revoked the vulnerable binary in a January 2025 dbx update, meaning patched Windows hosts block this technique while unpatched or unrevoked devices remain exposed.
- ESET reports no evidence of in‑the‑wild attacks, noting samples appeared on VirusTotal earlier this year and may represent research or limited testing rather than an active campaign.
- The malware triggers a fake BSOD and CHKDSK screen, demands $1,000 in Bitcoin, uses Salsa20 with a recoverable key workflow, and ESET has published indicators of compromise to aid defenders.