Old Ransomware is Mass Attacking Mining Rigs
hAnt has Been Around Since 2018
hAnt was reportedly discovered in August 2018 and till now, the source of the ransomware still remains obscure.
The code works just like other ransomware. Files belonging to the miner whose rig is being attacked become encoded, thereby putting a stop to all mining operations as the owner will be restricted from accessing his files. This will continue until the user accepts the demands being made by the ransomware.
If the owners of affected rigs try to examine their machines, the code prevents them by displaying a picture which comprises of an ant with two pickaxes on it both sides in green ASCII characters an image which is similar to the red skull screen which was displayed by NotPetya ransomware
Message From hAnt
Also, when any portion of the screen is clicked on, it shows a message in Mandarin and ‘imperfect’ English.
The message that was displayed when translated into English reads:
“I am hAnt! I continue to attack your Antminer. As long as you spread the infected machine, my server verifies that there are 10 new IPs and the number ofantminers reaches 1,000. I will stop attacking you! Otherwise, I will turn off yourantminer’s fan and overheat protection, which will cause you to burn your machine or will burn the house. Click the ‘Download firmware patch’ button to download the firmware patch with your specific ID. Just update it to your normal Antminer to get infected. You can bring the machine that updated the patch to another computer room to complete theinfection, or induces others to use the firmware patch in the network group. Or support 10 BTCs, I will stop attacking.”
According to the message, the miners are presented with two options, which are to either pay a ransom or spread the code. Or else, it will turn off the
Furthermore, there are reports that the code is spreading to other mining equipment connected to the same network on its own. There have been claims that it affected 4,000 devices within minutes.
Solution So Far
So far, the only solution that has been effective is to re-flash the infected mining equipment’s SD card and install clean firmware. Also, users are being advised to download the firmware directly from the original manufacturer of the rigs and not other download sites.