A new strain of ransomware has been observed targeting Bitcoin mining rigs. At the time of writing, most of the infections have been reported in China, the country where most of the world’s cryptocurrency mining farms are located.
Named hAnt, this new ransomware strain was first seen in August of last year, but a new wave of infections has been reported hitting mining farms earlier this month.
Most of the infected mining rigs are Antminer S9 and T9 devices, used for Bitcoin mining, but there have also been reports of hAnt infecting Antminer L3 rigs, used for mining Litecoin. In rare instances, Avalon Miner equipment (used for Bitcoin), were also reported as infected, but in much smaller numbers.
It is unclear how crooks first infect a mining farm’s data center or equipment, but some Chinese security experts suggest that hAnt comes hidden inside tainted versions of mining rig firmware that has been making the rounds online since last summer.
According to reports in Chinese media, once hAnt infects a mining rig, it immediately locks the device and prevents it from mining any new currency.
When equipment owners connect to devices remotely (via a CLI) or manually (using LCD screens) the first thing they see is a splash screen depicting an ant and two pickaxes in green ASCII characters, similar to the red skull splash screen displayed by the NotPetya ransomware.
Clicking anywhere on the screen or pressing any key loads the hAnt ransom note, in both English and Chinese text.
The ransom note is somewhat unique when compared to ransom demands seen on desktop ransomware variants because victims are given a choice.
They can either pay a 10 Bitcoin ($36,000) ransom to remove the ransomware from the mining rig, or they can download a malicious firmware update that they have to apply to other mining rigs to further spread the ransomware.
If victims fail to pay the ransom or infect at least 1,000 other devices, the ransom note threatens to turn off the mining rig’s fan and its overheat protection, leading to the device’s destruction.
There haven’t been reports of any destroyed equipment just yet, suggesting that this is an empty threat, however, experts say hAnt could theoretically abuse an overclocking feature in the Antminer firmware to overheat and compromise devices.
Instead, there have been reports that hAnt can also spread on its own, automatically, to other mining equipment connected to the same network, however, this mechanism hasn’t been explained in more technical details, as of yet.
However, an hAnt worm-like component would explain a report from Yibenchain, the Chinese news site which first broke the story. The news outlet cited an executive from BTC.Top, a local Bitcoin mining company, who claimed that hAnt infected over 4,000 devices within minutes.
Besides financial losses caused by hAnt after the ransomware stopped normal mining operations, victims also reported losses caused by the time needed to reflash the infected mining equipment’s SD card to remove the ransomware and install clean firmware.
Last year, Bitmain, the company behind the Antminer line of mining rigs issued a security alert warning customers not to install firmware downloaded from other sites. The alert also includes basic advice on securing all types of mining rigs, not just Antminer equipment.
The English version hAnt ransom note is available below:
I am hAnt! I continue to attack your Antminer. As long as you spread the infected machine, my server verifies that there are 10 new IPs and the number of antminers reaches 1,000. I will stop attacking you! Otherwise I will turn off your antminer’s fan and overheat protection, which will cause you to burn your machine or will burn the house.
Click the ‘Diwnload firmware patch’ button to download the firmware patch with your specific ID. Just update it to your normal Antminer to get infected.
You can bring the machine that updated the patch to another computer room to complete the infection, or induce others to use the firmware patch in the network group.
Or support 10 BTCs, I will stop attacking.