A crippling ransomware strain is targeting various models of Bitcoin miners in China. | Source: Shutterstock
By CCN.com: China’s sprawling Bitcoin mining industry is being targeted by a terrifying new ransomware strain that is threatening the economy of the Sichuan river basin where most mining farms are located, housing a huge percentage of the Bitcoin blockchain’s hashpower.
First detected in August 2018, the ransomware which is called “hAnt” has been observed to target a wide variety of mining rigs including Bitmain‘s Antminer S9, T9 and L3 and Avalon equipment.
Its initial method of introduction remains unclear at the moment, but it is its method of propagation that is especially concerning for an already fragile industry, pummelled by weak Bitcoin prices and the threat of changing government policy on cheap hydroelectric power. Like conventional ransomware, hAnt encrypts a miner’s files and renders it unusable – a death sentence for a mining operation whose profitability depends on constant uptime. This is where it gets interesting.
“Bandersnatch” of Ransomware
Whereas ransomware typically makes a demand for a certain amount in crypto in exchange for decryption instructions, hAnt employs an especially pernicious tactic, effectively forcing victims to choose their own poison, a la “Bandersnatch”. When equipment owners connect to the affected rig to see what the problem is, they are presented with the following interface.
A click brings up the ransom prompt in Mandarin and halting English, which gives the user a choice between paying 10 BTC for decryption instructions. It carries the added threat infecting other mining rigs with a downloadable firmware update, which further propagates the spread of the ransomware.
In this way, the cybercriminals behind the scheme are able to create a revenue pipeline, knowing full well that not all miners can afford to pay the ransom, and some will inevitably choose the second option, which introduces the ransomware to a wider selection of miners who may be willing or able to pay the ransom.
In the event that the victim refuses to pay the ransom or spread the program, the note threatens to ruin the victim’s business by turning off the mining rig’s fan, which will lead to overheating and physical destruction of the delicate equipment. Thus far, there have been no confirmed reports of damaged equipment, which could either mean that the threat is empty, or that targeted victims are cooperating with the cybercriminals, which is even worse news.
BTC.top, a mining farm in the area confirmed the existence of hAnt to ZDNet, claiming that over 4,000 rigs were infected within minutes, which some see as evidence that the ransomware can spread out across a network of devices on its own.
In order to forestall the spread of hAnt and other ransomware, users have been advised to download firmware exclusively from their original equipment manufacturers while cybersecurity experts analyse and attempt to get the better of this latest critical threat.
Hat tip to ZDNet.