A new piece of ransomeware, and it can bypass one of the best security measures against malicious disk encryption.
HybridPetya is a virus that was recently found by cybersecurity company ESET. The malware can bypass UEFI Secure Boot, a Windows utility that checks certificates of software that is trying to boot on a storage drive when a PC is powered on. This security check, in theory, prevents malicious code or unofficial software from booting.
However, HybridPetya can detect when an infected drive uses UEFI with GPT partitioning and can bypass Secure Boot. Once it circumvents Secure Boot, the malware adds, deletes, or alters boot files on the boot partition drive to lock and encrypt the rest of the drive’s data.
Once activated, HybridPetya will present the user with a message stating that all their files are encrypted. The ransom note also includes instructions to send US$1000 worth of Bitcoin to a wallet. The infected user is also prompted to send their Bitcoin wallet and a generated installation key to a ProtonMail email address to receive a decryption key.
ESET stated it had not noticed any real-world attacks using HybridPetya as of September 12. In that light, it appears that the ransomware may be a proof-of-concept or may be in a testing phase prior to a deployment. The good news is that the exploit used by the malware was addressed in a Windows patch back in January (January 2025 Patch Tuesday), so if a Windows computer is up-to-date, it should be safe. It’s uncertain whether HybridPetya could affect other operating systems like macOS or Linux.
