UEFI Secure Boot circumvented by novel HybridPetya ransomware

Advanced UEFI-based systems could be infiltrated by the newly emergent HybridPetya ransomware strain, which is similar to Petya and NotPetya, through a nefarious EFI app injected into the EFI System Partition, according to The Hacker News. HybridPetya's installer delivers a bootkit that enables not only configuration loading and encryption status checking but also the creation of a file that monitors disk clusters that have already been encrypted, with encrypted disk detection triggering a ransom note seeking $1,000 worth of Bitcoin as payment, a report from ESET revealed. Other iterations of HybridPetya have leveraged the Howyar Reloader UEFI app remote code execution flaw, tracked as CVE-2024-7344, to evade UEFI Secure Boot, noted researchers, who also discovered the new ransomware's decryption key reconstruction capabilities. Such findings, which showed no active use of the ransomware, come after the BlackLotus, BootKitty, and Hyper-V Backdoor PoC were discovered to have also evaded UEFI Secure Boot. "This shows that Secure Boot bypasses are not just possible they're becoming more common and attractive to both researchers and attackers," said researchers.