HybridPetya ransomware dodges UEFI Secure Boot • The Register

A new ransomware strain dubbed HybridPetya was able to exploit a patched vulnerability to bypass Unified Extensible Firmware Interface (UEFI) Secure Boot on unrevoked Windows systems, making it the fourth publicly known bootkit capable of punching through the feature and hijacking a PC before the operating system loads.

ESET researchers discovered the ransomware-bootkit combo after samples were uploaded to VirusTotal in February, and named it HybridPetya because of its similarities to the infamous Petya and NotPetya malware strains.

The silver lining: the code seems to be just a proof-of-concept (PoC) at this point, and the threat hunters say they’ve seen no indications of its use in the wild. Also, it doesn’t show the same aggressive network propagation as NotPetya.

Still, HybridPetya provides yet another example that Secure Boot bypasses, which were still considered an infosec urban legend until a few years ago, do exist. And both ethical hackers and attackers alike are eager to develop new variants.

As Reg readers no doubt remember: back in 2017, malware dubbed NotPetya (because the data-wiping malware masqueraded as 2016’s Petya ransomware) exploded across the world, ultimately costing more than $10 billion in damages. 

Both Petya and NotPetya also contained bootkits that overwrote the Master Boot Record (MBR) on infected computers, thus allowing the malware to lock up victims’ entire hard drive and prevent the OS from booting.

The new HybridPetya shares its disk-locking behavior with its predecessors and abuses UEFI vulnerability CVE‑2024‑7344, which ESET discovered and disclosed earlier this year and which Microsoft has since revoked in dbx on updated machines.

“HybridPetya is also capable of compromising modern UEFI-based systems by installing a malicious EFI application to the EFI System Partition,” ESET malware researcher Martin Smolár wrote in a Friday report. “The deployed UEFI application is then responsible for encryption of the NTFS-related Master File Table (MFT) file – an important metadata file containing information about all the files on the NTFS-formatted partition.”

HybridPetya, unlike the data-destroying NotPetya, also functions as ransomware. The algorithm used to generate the victim’s personal installation key allows the malware operator to reconstruct the decryption key from the personal installation key – and thus unlock the files – as opposed to just wiping them clean.

How the bootkit works

Similar to the two original Petya/NotPetya variants, upon execution, the UEFI bootkit loads its configuration from the \EFI\Microsoft\Boot\config file, and checks the current encryption status. This status can have one of three values:

• 0 – ready for encryption
• 1 – already encrypted, or
• 2 – ransom paid, disk decrypted

If the value is 0, the bootkit rewrites the configuration file with the flag now set to 1 and encrypts the \EFI\Microsoft\Boot\verify file with the Salsa20 encryption algorithm, using the key and 8-byte-long nonce specified in the configuration data.

It also creates the file \EFI\Microsoft\Boot\counter on the EFI System Partition – this file is used to keep track of the already encrypted disk clusters – and begins the disk encryption process, starting with the identification of all NTFS-formatted partitions.

The malware also displays a fake Windows “CHKDSK” message on the victim’s screen to indicate the disk is being checked for errors – not being encrypted. This message is identical to those displayed in both NotPetya and Petya.

Meanwhile, if the disk is already encrypted (so the encryption flag value is set to 1), the bootkit proceeds with a ransom note that, like the original NotPetya, begins: “Ooops, your important files are encrypted.”

It then instructs the victim to send $1,000 in Bitcoin to a now-empty wallet (34UNkKSGZZvf5AYbjkUa2yYYzw89ZLWxu2) to purchase the decryptor. Once the victim enters the correct key, verified by the bootkit, it then proceeds to decrypt the disk and record the legitimate bootloaders from a backup file created during the installation process. After that’s completed, the bootkit prompts the victim to reboot the device, and assuming everything worked, the OS should start up again.

“Although HybridPetya is not actively spreading, its technical capabilities – especially MFT encryption, UEFI system compatibility, and Secure Boot bypass – make it noteworthy for future threat monitoring,” Smolár wrote.

The discovery of HybridPetya follows three other real or PoC Secure Boot bypasses. Smolár wrote about the first, BlackLotus, back in 2023 after Kaspersky’s lead security researcher Sergey Lozhkin first saw it being sold on cybercrime marketplaces a year earlier.

Last November, ESET also spotted a bootkit targeting Linux systems dubbed Bootkitty after it was uploaded to VirusTotal.

ESET also counts the Hyper-V Backdoor PoC, which exploited CVE‑2020‑26200, among the four documented bootkits. ®