Martin Smolár

**Name of the Vulnerable Software and Affected Versions** Howyar UEFI Application "Reloader" (32-bit and 64-bit) versions prior to January 2025 **Description** A vulnerability exists in the Howyar UEFI Application "Reloader" that allows for the execution of unsigned software in a hardcoded path. This flaw, identified as CVE-2024-7344, bypasses UEFI Secure Boot protections, potentially enabling the installation of malicious bootkits. A new ransomware strain, HybridPetya, has been observed exploiting this vulnerability to gain persistence and encrypt systems. HybridPetya mimics the behavior of Petya/NotPetya ransomware, encrypting the NTFS Master File Table (MFT) and demanding a ransom payment. While HybridPetya has not yet been widely deployed in active attacks, its capabilities suggest a significant threat potential. The vulnerability resides in a UEFI application signed by Microsoft, impacting a range of systems. The exploitation of this vulnerability allows attackers to gain control at the boot level, potentially bypassing operating system-level security measures. **Recommendations** Apply the January 2025 UEFI revocation database update. Check for the presence of the 'cloak.dat' file. Rotate Secure Boot keys if necessary. Apply updates for CVE-2024-7344. Ensure Secure Boot is enabled and properly configured. Monitor firmware integrity using tools like UEFI Scanner or CHIPSEC. Maintain offline backups of both data and firmware configurations.