New ransomware demands users to pay 10 Bitcoin or infect another thousand mining devices

LOCKY VARIANT CHANGES C2 COMMUNICATION, FOUND IN NUCLEAR EK

Attackers threaten to collapse users’ mining platforms

Network security and ethical hacking specialists from the International Institute of Cyber Security report the finding of a new ransomware variant especially targeted against Bitcoin mining platforms. So far, most known infection cases have been reported in China, as this is the country with the most cryptocurrency mining rigs in the world.

Dubbed ‘hAnt’, this new ransomware was first detected in August 2018, although the serious propagation of this malicious software began just a couple of weeks ago.

According to network security experts, most infected mining devices are Antminer S9 and T9, primarily used for Bitcoin mining. Most of hAnt infections are also registered in Antminer L3 equipment for the extraction of Litecoin cryptocurrency. Other Bitcoin mining devices, such as Avalon Miner, have also been infected, albeit to a lesser extent.

The method used by attackers to infect the devices is still unknown, although some China-based network security specialists theorize that hAnt is capable of hiding within the poisoned versions of the mining devices firmware.

According to the evidence collected so far, once hAnt infects the platform, the device is blocked, preventing the extraction of any virtual assets. When administrators connect remotely or manually to their devices, they find a home screen showing the illustration of an ant and two pickaxes in ASCII characters, similar to the home screen shown by other ransomware variants. When performing any interaction on the home screen, the hAnt ransom note, written in English and Chinese, is loaded.

In the ransom note the victims are offered two options: they can pay the ransom of 10 Bitcoin (about $35k USD), or they can download an update of the malicious firmware to infect another thousand mining devices. The note threatens to overheat and burn the device if any of these two conditions are not met.

There are still no records of destroyed devices, which make the experts assume that this threat is false. However, experts believe that hAnt is able to abuse one of the features of Antminer to overheat devices. Experts also say that hAnt is able to propagate itself to other mining platforms connected to the same network, although further details about this claim are unknown.

Some of the victims of this infection report significant losses due to the time it takes to re-flash the SD card of the mining device to eliminate the infection and reinstall the firmware.

Bitmain, the developer of the Antminer platforms, launched last year a security alert requesting its users not to install firmware downloaded from unofficial platforms, so users should be cautious when removing the hAnt infection.