hAnt ransomware threatens China nationals to destroy their mining rigs

Antminer S9 and T9 Chinese mining rigs infected with hAnt ransomware

hAnt ransomware threatens to overheat mining fans unless the victim pays 10 BTC or infects other devices

Cybersecurity researchers have overcome a new file locking cyber threat which has been threatening numerous computer users in China recently. This cryptovirus is known as hAnt and has been especially aimed at infecting cryptocurrency mining rigs such as Antminer S9 and T9. The virus has been active since August 2018 but the most visible it became in January this year.^[1]

Even though hAnt ransomware mostly targets Bitcoin mining servers, this threat has also launched an attack against a rig known as Antminer L3 which is design to mine Litecoin. Additionally, there are other small miners that have experienced the consequences of this infection but at a lower number than the beforementioned mining rigs. The first to announce about these attempts was a Chinese news website known as Yibencian.^[2]

Crooks are urging for the staggering 10 BTC ransom

Talking about the operating principle of hAnt ransomware virus, once installed, the cyber threat loads a green screen (characters appear to be similar to NotPetya ransomware^[3] by the way) with the picture of an ant and two hammers. Once the user clicks anything on the screen, the ransom message appears. Cybercriminals have written the note in two languages: Chinese and English. The English version sounds like this:

I am hAnt! I continue to attack your Antminer. As long as you spread the infected machine, my server verifies that there are 10 new IPs and the number of antminers reaches 1,000. I will stop attacking you! Otherwise I will turn off your antminer's fan and overheat protection, which will cause you to burn your machine or will burn the house.

Click the 'Diwnload firmware patch' button to download the firmware patch with your specific ID. Just update it to your normal Antminer to get infected.

You can bring the machine that updated the patch to another computer room to complete the infection, or induce others to use the firmware patch in the network group.

Or support 10 BTCs, I will stop attacking.

Once hAnt ransomware occupies the system, mining rigs are closed and disabled from any cryptocurrency mining until the virus is removed. In the text message, cybercrooks offer two options for the victims – to pay a 10 BTC ransom or to spread infected firmware to another 1000 of mining rigs and infect them.^[4] If the rules are not followed, crooks threaten to overheat the mining fan and destroy the system permanently.

Even though no user has yet reported that such words are true, there is a possibility that hAnt ransomware could have the possibility of manipulating some Antiminer firmware and damaging the infected machines. According to some speculations, this dangerous cyber threat could enter the target systems through outdated firmware and, once inside, the infection could distribute itself to other mining firmware by using the special technique.

Removing hAnt ransomware virus requires some time and effort

According to infected ones, hAnt ransomware has not only stopped their important mining processes but has also required a generous amount of time to overtake the attack by installing new clean firmware and getting rid of the nasty threat from the system. Besides, recovering the firmware's SD has also been required.

The well-known Bitmain company who is responsible for the Antminer line production has released some tips on how to avoid remote attacks on Antminer products and protect devices from possible malware infections. Three main precautionary measures offered by this organization are:^[5]

• avoid visiting unsafe third-party websites;
• do not download any equipment that comes not from Bitmain;
• changing passwords and creating very strong ones.