Researchers from cybersecurity company ESET have detected a new ransomware called HybridPetya, which is similar to the infamous Petya and NotPetya malware. Like its predecessors, the malware targets the Master File Table (MFT) — a central database on NTFS partitions that catalogs all files and directories.
However, according to ESET, HybridPetya can override the UEFI Secure Boot function in order to install a malicious application on the EFI system partition.
There is also another difference: While NotPetya “only” aims to destroy data, HybridPetya acts as real ransomware. According to the researchers, the algorithm it contains allows attackers to reconstruct the decryption key from the victim’s personal installation key. This could theoretically allow victims to get their data back after paying a ransom. The variant analyzed by ESET demanded 850 euros in Bitcoin.
However, the ESET researchers suspect that this is a research project, a proof-of-concept (PoC) or an early version of a cybercrime tool that is still in the limited testing phase.
How the attack works
According to ESET, the ransomware exploits an already patched vulnerability (CVE-2024-7344) in a signed Microsoft EFI file (reloader.efi). An unsigned malicious file named cloak.dat is then loaded. In this way, integrity checks are bypassed and the malicious program can be executed even before the operating system starts.
The installer replaces the legitimate Windows bootloader with the vulnerable version. The malware then deliberately crashes the system, forcing a reboot. On boot, the compromised bootloader launches the HybridPetya bootkit and begins MFT encryption.
Encryption with the Salsa20 algorithm renders the entire hard disk unreadable. A fake CHKDSK message is used to disguise the malicious activity.
Although the HybridPetya ransomware has not yet been observed in the wild, it should be seen as a warning of a new generation of bootkit-based threats.
No Responses