According to reports from cybersecurity researchers, there’s a new ransomware virus on the loose that’s targeting bitcoin miners. A file locking program called H-Ant has allegedly infected certain Antminer models in China and if the ransom is not paid the software aims to destroy the infected machine.
New Ransomware Called H-Ant Attacks Mining Rig Operators in China
Ransomware creators have found a new target to attack in the form of bitcoin mining operations. Unlike most traditional ransom attacks, where victims have to obtain coins in order to pay the ransom, victims of the H-Ant ransomware have cryptocurrencies on hand to pay the malicious attackers. The H-Ant ransomware that specifically targets certain Antminer brand rigs was first discovered by cybersecurity experts back in August 2018 but the malware did not become prevalent until this month. H-Ant can attack an S9 model, T9, and possibly even L3 Antminer brand litecoin miners. There have also been limited reports of Canaan brand Avalon miners that have been infected, explained the regional media outlet Yibenchain.
According to reports, H-Ant attacks the S9, T9, and possibly L3 litecoin miners. The virus has also infected Canaan brand Avalon miners.
The report also detailed that once a mining rig is infected with the H-Ant virus, the device will seize and stop mining cryptocurrencies. Then, if the owner hooks the device to an LCD screen, a matrix-like screen splash will appear and reveal the H-Ant ransomware note written in both English and Chinese.
“I am H-Ant,” the English version of the ransom note explains. “I will continue to attack your Antminer and as long as you spread the infected machine, my server verifies that there are 10 new IPs and the number of Antminers reaches 1,000 — I will then stop attacking you. I can also turn off your Antminer’s fan and overheat protection, which will cause you to burn your machine or can burn down the house.”
The ransom note continues by giving the H-Ant victim an odd choice to make:
Click the ‘download firmware patch’ button to download the firmware patch with your specific ID and just update it to your normal Antminer firmware to get infected. You can bring the machine that updated the patch to another computer room to complete the infection, or induce others to use the firmware patch in the network group — Or pay 10 BTC and I will stop attacking.
Custom Overclocking Firmware Might Be the Root Cause of the H-Ant Ransomware
Yibenchain detailed in its report that a miner using a pseudonym told the publication on Jan. 5 his mining software management interface displayed the H-Ant screen splash. Then he clicked the screen which displayed the ransom note asking for 10 BTC ($35K at press time). Moreover, mining pool Btc.top founder Jiang Zhuo’er told the Chinese news publication 8btc that miners have been monitoring the virus for a while now. The infection is a Linux based virus that can find its way into the mining rigs firmware files quite easily.
Jiang has detailed that the virus may have derived from an anonymous creator of an overclocking firmware. Mining pools often “overclock” their machines in order to increase the device’s overall hashrate. For example, with custom overclocking firmware an Antminer S9 that processes at 13.5 terahash per second (TH/s) could produce up to 18TH/s. Overclocking is not encouraged by mining rig manufacturers, but mining pools often download custom firmware that allows this behavior and the H-Ant virus likely derived from this trend. Jiang also told 8btc that the hacker may not be Chinese and “to some extent controls the onset of the virus.” The Btc.top founder believes that H-Ant may have been spread through a popular cloud service provided by Baidu.
“It suggests two possibilities – the hacker is deliberately targeting China where bitcoin mines are concentrated; second, Chinese miners inadvertently helped spread the virus before they realized the overclocked firmware was infected,” Jiang emphasized during his interview.
When asked if the H-Ant attack could affect large portions of pools mining popular SHA-256 mined networks, the mining pool executive didn’t seem too worried, stating:
It’s hard to see that happening. The hash power of bitcoin network is still highly decentralized with numerous mines, it’s quite difficult for hackers to just figure out the network location of these mines.
H-Ant allegedly also infected a Chinese miner’s facility in a matter of minutes holding 4,000 of his devices hostage. However, even though the virus does stop a machine from operating it can be fixed. Reports detail that the victim needs time to reflash the mining rig’s SD card and install a clean version of firmware. Of course, while the machine is being updated, the miner has still lost money due to inactivity.
What do you think about the H-Ant ransomware attacking Chinese miners? Let us know in the comments section below.
Images credits: Shutterstock, and Yibenchain.