A dangerous new strain of ransomware, named HybridPetya, has been uncovered by cybersecurity experts. This malicious software not only mimics the destructive Petya and NotPetya malware that caused widespread chaos years ago but also adds a frightening new trick: it can sidestep the Secure Boot feature on modern computers, a critical defense designed to stop this very kind of attack.

How HybridPetya Locks Down Your Computer

Discovered by researchers at the cybersecurity firm ESET, HybridPetya operates by targeting the very core of a computer’s file system. Instead of encrypting individual files one by one, it goes straight for the Master File Table (MFT). Think of the MFT as the master index or table of contents for your hard drive; it tells your operating system where every single file is located. By encrypting this index, the malware effectively makes your entire hard drive unreadable, locking you out of all your data at once.

What makes HybridPetya especially alarming is its ability to infect modern machines running UEFI firmware, the standard for today’s PCs. It cleverly installs its own malicious program onto the EFI System Partition, the part of the hard drive that the computer uses to start up. This malicious boot application is the engine that drives the entire attack, encrypting the MFT while cleverly disguising its activity. To the unsuspecting victim, the screen displays a fake Windows “CHKDSK” message, making it look like the computer is simply scanning for and repairing disk errors. In reality, their data is being held hostage behind their back.

The Ransom Demand and Decryption Promise

Once the encryption is complete, the fake repair screen disappears and is replaced by a ransom note. The message demands a payment of $1,000 in Bitcoin to a specific digital wallet address. If the victim pays the ransom, they are supposed to receive a unique decryption key.

The ransomware provides a field on the screen where the victim can enter this key. If the correct key is entered, the malware’s bootkit verifies it and begins the decryption process. It even displays the progress on screen, showing the user that their files are supposedly being restored. The malware keeps track of its own encryption progress using a hidden counter file, which it then uses to reverse the process.

After the decryption is finished, the malware restores the computer’s original, legitimate boot files, effectively cleaning up after itself. It then prompts the user to restart their computer, which should, in theory, boot back into Windows with all data intact. While the attackers’ Bitcoin wallet has seen some activity, receiving over $180 between February and May 2025, it is currently empty.

A Deliberate Crash to Gain Control

One of the most cunning aspects of the attack is how the malware ensures it gains control of the system. The initial installer component makes changes to the computer’s essential boot files. This modification is intentionally designed to be unstable, causing the Windows operating system to crash and display the infamous Blue Screen of Death (BSoD).

This crash is not a mistake; it’s a critical part of the plan. A forced reboot is exactly what the malware needs. When the user turns the computer back on, the system doesn’t load the normal Windows startup files. Instead, it loads the malicious bootkit that the malware planted, giving the ransomware complete control of the machine before the operating system or any antivirus software has a chance to load.

Exploiting Old Flaws to Defeat New Defenses

Researchers found that some versions of HybridPetya exploit a known security vulnerability to bypass UEFI Secure Boot. Secure Boot is a security standard developed to ensure that a device boots using only software that is trusted by the manufacturer. It’s meant to prevent malicious software from loading when a PC starts up.

However, HybridPetya leverages a now-patched flaw in a legitimate UEFI application to get around this protection. The attackers deploy a vulnerable version of this application and use it to load their own malicious code without any security checks. This effectively turns a trusted process into a gateway for the ransomware. While Microsoft has already revoked the vulnerable binary in a security update from January 2025, any system that has not been updated remains at risk.

Although there is no evidence of HybridPetya being used in widespread attacks yet, its existence is a major concern. It joins a growing list of advanced threats like BlackLotus and BootKitty that can bypass Secure Boot. Its discovery serves as a powerful reminder that even the most fundamental security features are being actively targeted by attackers, making it more important than ever for users to keep their systems fully patched and updated.