""HybridPetya encrypts the Master File Table, which contains important metadata about all the files on NTFS-formatted partitions," security researcher Martin Smolár said. "Unlike the original Petya/NotPetya, HybridPetya can compromise modern UEFI-based systems by installing a malicious EFI application onto the EFI System Partition. In other words, the deployed UEFI application is the central component that takes care of encrypting the Master File Table (MFT) file, which contains metadata related to all the files on the NTFS-formatted partition."
"Should the value be set to 0, it proceeds to set the flag to 1 and encrypts the \EFI\Microsoft\Boot\verify file with the Salsa20 encryption algorithm using the key and nonce specified in the configuration. It also creates a file called "\EFI\Microsoft\Boot\counter" on the EFI System Partition prior to launching the disk encryption process of all NTFS-formatted partitions. The file is used to keep track of the already encrypted disk clusters."
HybridPetya is a ransomware strain that encrypts the Master File Table on NTFS partitions and can bypass UEFI Secure Boot by installing a malicious EFI application onto the EFI System Partition. Samples were uploaded to VirusTotal in February 2025. The malicious EFI application performs MFT encryption and coordinates disk-wide encryption. HybridPetya contains two components: an installer and a bootkit (present in two versions). The bootkit loads configuration, tracks encryption status with flags (0 ready, 1 encrypted, 2 ransom paid), encrypts \EFI\Microsoft\Boot\verify with Salsa20 using configuration keys and nonces, creates a \EFI\Microsoft\Boot\counter file to track encrypted clusters, and updates a fake CHKDSK message during encryption.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]