Ransomware Threatens Mining Rigs in China with ‘Death by Overheating’

By Warren Hayes | January 30, 2019

A file-locking malware called H-Ant appears to have begun holding mining rigs hostage, threatening to destroy rigs in China by switching off their cooling fans if a ransom of 10 BTC (about $35,000) is not paid.

Numerous mining rigs including S9, T9, L3 Antminer Litecoin miners, and Canaan brand Avalon miners are susceptible to H-Ant attacks. While H-Ant was first discovered in August 2018, it has significantly surfaced this month for reportedly attacking miners in China.

According to Chinese media, a rig is incapable of mining cryptocurrencies once infected with H-Ant. When hooked to an LCD screen, the infected rig will show up a message in both English and Chinese:

“I am H-Ant. I will continue to attack your Antminer and as long as you spread the infected machine, my server verifies that there are 10 new IPs and the number of Antminers reaches 1,000 — I will then stop attacking you. I can also turn off your Antminer’s fan and overheat protection, which will cause you to burn your machine or can burn down the house.”

To resolve the situation, the message then instructs the following: “Click the ‘download firmware patch’ button to download the firmware patch with your specific ID and just update it to your normal Antminer firmware to get infected. You can bring the machine that updated the patch to another computer room to complete the infection, or induce others to use the firmware patch in the network group — Or pay 10 BTC and I will stop attacking.”

According to mining pool BTC.top founder Jiang Zhuoer, the infection is a Linux-based virus that can easily find its way into the firmware files of mining rigs. Jiang suspects H-Ant could have come from an anonymous creator of overclocking firmware used to increase a rig’s overall hashrate. The ransomware could have spread through a popular Baidu cloud service although its creator may not be Chinese and could be controlling the virus’ onset, Jiang was reported as saying.

“It suggests two possibilities – the hacker is deliberately targeting China where bitcoin mines are concentrated; second, Chinese miners inadvertently helped spread the virus before they realized the overclocked firmware was infected,” added Jiang.

Fortunately, the H-Ant problem is not unfixable if one is not keen to pay the ransom. Crypto media reports have pointed out that reflashing a rig’s SD card reinstalling a clean version of firmware should do the trick.

Tags: , , , , , ,