A new strain of ransomware dubbed as ‘hAnt’ has been spotted targeting Bitcoin mining rigs, primarily in China. hAnt infected mining rigs include Antminer S9 and T9 devices used for Bitcoin mining and Antimer L3 rigs used for Litecoin mining. In a few instances, Avalon miner equipment used for Bitcoin mining was also affected.
How cybercriminals infect a mining farm’s data center or equipment remains unknown, however, security experts in China noted that the ransomware comes inside infected versions of mining rig firmware.
Green splash screen
Chinese media reported that once hAnt ransomware infects a mining rig, it immediately locks the device and prevents it from mining any new currency.
Contents of the ransom note
Image source: yibenchain.com
“I am hAnt! I continue to attack your Antminer. As long as you spread the infected machine, my server verifies that there are 10 new IPs and the number of antminers reaches 1,000. I will stop attacking you! Otherwise, I will turn off your antminer's fan and overheat protection, which will cause you to burn your machine or will burn the house. Click the 'Download firmware patch' button to download the firmware patch with your specific ID. Just update it to your normal Antminer to get infected. You can bring the machine that updated the patch to another computer room to complete the infection or induce others to use the firmware patch in the network group. Or support 10 BTCs, I will stop attacking,” the ransom note read, ZDNet reported.
hAnt's capabilities
Security experts noted the hAnt ransomware could abuse an overclocking feature in the Antminer firmware to overheat and compromise devices. The ransomware could also spread on its own to other mining rigs connected on the same network.
Chinese media reported that an executive from BTC.Top, a Bitcoin mining company claimed that the hAnt ransomware infected almost 4000 mining rigs within minutes.
Besides financial losses, victims also reported the losses caused by the time required to remove the ransomware by overwriting the infected mining devices’ SD cards and to install secure firmware.
Publisher