Attackers threaten to collapse users’ mining platforms
Network security and ethical hacking
specialists from the International Institute of Cyber Security report the
finding of a new ransomware
variant especially targeted against Bitcoin
mining platforms. So far, most known infection cases have been reported in
China, as this is the country with the most cryptocurrency mining rigs in the
world.
Dubbed ‘hAnt’,
this new ransomware was first detected in August 2018, although the serious propagation
of this malicious software began just a couple of weeks ago.
According to network
security experts, most infected mining devices are Antminer S9 and T9,
primarily used for Bitcoin mining. Most of hAnt infections are also registered
in Antminer L3 equipment for the extraction of Litecoin cryptocurrency. Other
Bitcoin mining devices, such as Avalon Miner, have also been infected, albeit
to a lesser extent.
The method used by attackers to infect the
devices is still unknown, although some China-based network security
specialists theorize that hAnt is capable of hiding within the poisoned versions
of the mining devices firmware.
According to the evidence collected so far, once hAnt infects the platform, the device is blocked, preventing the extraction of any virtual assets. When administrators connect remotely or manually to their devices, they find a home screen showing the illustration of an ant and two pickaxes in ASCII characters, similar to the home screen shown by other ransomware variants. When performing any interaction on the home screen, the hAnt ransom note, written in English and Chinese, is loaded.
In the ransom note the victims are offered two options: they can pay the ransom of 10 Bitcoin (about $35k USD), or they can download an update of the malicious firmware to infect another thousand mining devices. The note threatens to overheat and burn the device if any of these two conditions are not met.
There are still no records of destroyed
devices, which make the experts assume that this threat is false. However,
experts believe that hAnt is able to abuse one of the features of Antminer to
overheat devices. Experts also say that hAnt is able to propagate itself to
other mining platforms connected to the same network, although further details
about this claim are unknown.
Some of the victims of this infection report
significant losses due to the time it takes to re-flash the SD card of the
mining device to eliminate the infection and reinstall the firmware.
Bitmain, the developer of the Antminer
platforms, launched last year a security alert requesting its users not to
install firmware downloaded from unofficial platforms, so users should be
cautious when removing the hAnt infection.
