Full Report
A recently discovered ransomware strain called HybridPetya can bypass the UEFI Secure Boot feature to install a malicious application on the EFI System Partition. [...]
Analysis Summary
# Vulnerability: HybridPetya Ransomware Bypassing UEFI Secure Boot via Vulnerable Microsoft-Signed Application
## CVE Details
- CVE ID: CVE-2024-7344
- CVSS Score: N/A (Score not explicitly provided, but severity is implied high due to bootkit installation)
- CWE: Weakness related to trusting signed binaries (Likely related to Secure Boot/Supply Chain Weakness)
## Affected Systems
- Products: UEFI/Windows Systems utilizing Secure Boot
- Versions: Systems that have **not** applied the January 2025 security updates or later.
- Configurations: Systems using UEFI with GPT partitioning where the underlying flaw exploited by CVE-2024-7344 exists.
## Vulnerability Description
HybridPetya is a ransomware strain, inspired by Petya/NotPetya, that leverages the vulnerability detailed in **CVE-2024-7344**. This vulnerability allows the malware to exploit a weakness in Microsoft-signed applications, enabling the deployment of a malicious bootkit directly into the **EFI System Partition (ESP)** even when UEFI Secure Boot is active.
The malware replaces the legitimate Windows bootloader (`bootmgfw.efi`) with a malicious version (`reloader.efi`) and installs configuration files (`config`, `verify`, `counter`, `cloak.dat`) into the ESP. Upon reboot, it triggers a fake BSOD, executes the bootkit, encrypts the Master File Table (MFT) using Salsa20, and presents a ransom note demanding $1,000 in Bitcoin.
## Exploitation
- Status: Not observed in the wild/Likely Proof-of-Concept (PoC) or research sample, but similar bootkits are a known threat.
- Complexity: Low (Exploits a systemic flaw allowing execution before OS protection layers)
- Attack Vector: Local/Network (Requires initial execution to deploy payload to ESP)
## Impact
- Confidentiality: High (Encryption of disk data)
- Integrity: High (Modification of system boot process and data corruption via encryption)
- Availability: Critical (System rendered unbootable until ransom is paid or data is restored)
## Remediation
### Patches
- Patch for **CVE-2024-7344** released in the **January 2025 Patch Tuesday** (or subsequent security updates). Applying this patch protects systems from this specific exploitation route.
### Workarounds
- Maintain offline, verified backups of critical data to enable restoration without paying the ransom.
## Detection
- **Indicators of Compromise (IOCs):** Files written to the EFI System Partition (ESP) under paths like `\EFI\Microsoft\Boot\` containing names such as `cloak.dat`, `reloader.efi`, and modified versions of boot configuration files.
- **Detection Methods and Tools:** ESET has published IOCs related to the analyzed sample, which can be used by endpoint detection and response (EDR) systems or antivirus software looking for specific file hashes or disk structure modifications associated with bootkit installation.
## References
- Vendor Advisories: ESET Research/Analysis (details regarding the vulnerability exploit chain).
- Relevant links:
- Information regarding the underlying flaw fix: bleepingcomputer dot com/news/microsoft/microsoft-january-2025-patch-tuesday-fixes-8-zero-days-159-flaws/
- Reference to the specific CVE: bleepingcomputer dot com/news/security/new-uefi-secure-boot-flaw-exposes-systems-to-bootkits-patch-now/
- IOC Repository: github dot com/eset/malware-ioc/tree/master/hybridpetya