A recently identified ransomware variant, named HybridPetya, mimics the behavior of the infamous Petya/NotPetya malware but adds the capability to bypass UEFI Secure Boot. This is achieved by exploiting CVE-2024-7344, a patched vulnerability in the Howyar Reloader UEFI application, allowing the malware to install a malicious EFI component. Once executed, HybridPetya encrypts the Master File Table on NTFS partitions, critical for file system metadata.
The ransomware consists of a bootkit and an installer, with the bootkit managing encryption status and displaying a fake CHKDSK screen to deceive users. If the disk is encrypted, a ransom note demands $1,000 in Bitcoin to provide a decryption key. The bootkit then verifies this key and initiates decryption using a counter file to track progress.
During installation, the malware triggers a system crash to ensure the malicious bootkit runs on reboot. Although the associated Bitcoin wallet has seen minimal activity, there is no evidence of real-world attacks thus far. Researchers suggest HybridPetya may be a proof-of-concept, highlighting a growing trend of UEFI bootkits exploiting Secure Boot vulnerabilities. This marks the fourth public instance of such bypass techniques, emphasizing increased interest from both attackers and security analysts.
Read more...