New Ransomware strain ‘hAnt’ targets Bitcoin mining rigs

• The infected mining rigs include Antminer S9 and T9 devices used for Bitcoin mining and Antminer L3 rigs used for Litecoin mining.
• Security experts noted that hAnt comes hidden inside infected versions of mining rig firmware.

A new strain of ransomware dubbed as ‘hAnt’ has been spotted targeting Bitcoin mining rigs, primarily in China. hAnt infected mining rigs include Antminer S9 and T9 devices used for Bitcoin mining and Antimer L3 rigs used for Litecoin mining. In a few instances, Avalon miner equipment used for Bitcoin mining was also affected.

How cybercriminals infect a mining farm’s data center or equipment remains unknown, however, security experts in China noted that the ransomware comes inside infected versions of mining rig firmware.

Green splash screen

Chinese media reported that once hAnt ransomware infects a mining rig, it immediately locks the device and prevents it from mining any new currency.

• Once the mining equipment is infected, equipment owners connecting to the device via CLI or manually using LCD screen will see a splash screen in green with an ant and two axes.
• Clicking anywhere on the screen or pressing any key loads a ransom note in both Chinese and English.
• The ransom note gives victims two options to choose from.
  1. Victims can either pay 10 Bitcoin as ransom in order to remove the ransomware from the infected mining rig.
  2. They can download the malicious firmware update and further spread the ransomware to other mining rigs.
• The ransom note further threatens to destroy the device if the victims fail to pay the ransom or infect at least 1000 other mining rigs.

Contents of the ransom note

Image source: yibenchain.com

“I am hAnt! I continue to attack your Antminer. As long as you spread the infected machine, my server verifies that there are 10 new IPs and the number of antminers reaches 1,000. I will stop attacking you! Otherwise, I will turn off your antminer's fan and overheat protection, which will cause you to burn your machine or will burn the house. Click the 'Download firmware patch' button to download the firmware patch with your specific ID. Just update it to your normal Antminer to get infected. You can bring the machine that updated the patch to another computer room to complete the infection or induce others to use the firmware patch in the network group. Or support 10 BTCs, I will stop attacking,” the ransom note read, ZDNet reported.

hAnt's capabilities

Security experts noted the hAnt ransomware could abuse an overclocking feature in the Antminer firmware to overheat and compromise devices. The ransomware could also spread on its own to other mining rigs connected on the same network.

Chinese media reported that an executive from BTC.Top, a Bitcoin mining company claimed that the hAnt ransomware infected almost 4000 mining rigs within minutes.

Besides financial losses, victims also reported the losses caused by the time required to remove the ransomware by overwriting the infected mining devices’ SD cards and to install secure firmware.