It has been a busy week in the news for ransomware. First, it emerged a new family called Phobos was discovered and been used by the group behind the Crysis and Dharma families of ransomware. Then reports emerged of another new ransomware called Anatova. Then finally, although the week has not ended yet, another new ransomware has been seen infecting Bitcoin mining rigs in China called hAnt.
China is widely regarded as the country where the highest concentration of mining farms can be found. Thus, it is of no coincidence that the majority of hAnt infections have been reported coming from China. Initially, news of the infections broke on Yibenchain.com with a later article in English been published on ZDNet. According to the article on ZDNet the ransomware was first discovered in August 2018, however, a new campaign targeting mining farms seems to have started earlier this month.
The majority of infected rigs are Antminer S9 and T9 devices, used for Bitcoin mining. There have been instances where Antminer L3 rigs have been infected and in very rare instances Avalon mining equipment has been infected. The L3 rigs are specifically designed to mine Litecoin while Avalon equipment specializes in the mining of Bitcoin. It is still unclear how the attackers are able to infect the rigs but some security experts have suggested that hAnt comes hidden inside tainted versions of mining rig firmware that has been making the rounds online since last summer.
According to reports from Chinese media outlets once infected with hAnt it immediately locks the rig and prevents it from mining any cryptocurrency from that point on. Owners of the rig are then presented with a splash screen depicting an ant and two pickaxes in green ASCII characters, similar to the red skull splash screen displayed by the NotPetya ransomware. Further, if the end user clicks on the screen or presses a key the ransom note is loaded. The ransom note is written in English and Chinese, with the English version reading as follows:
“I am hAnt! I continue to attack your Antminer. As long as you spread the infected machine, my server verifies that there are 10 new IPs and the number of antminers reaches 1,000. I will stop attacking you! Otherwise I will turn off your antminer's fan and overheat protection, which will cause you to burn your machine or will burn the house. Click the 'Diwnload firmware patch' button to download the firmware patch with your specific ID. Just update it to your normal Antminer to get infected. You can bring the machine that updated the patch to another computer room to complete the infection, or induce others to use the firmware patch in the network group. Or support 10 BTCs, I will stop attacking.”
The ransom note is unique in the sense that it gives the victim a choice. Either they can pay 10 Bitcoins, which at the time of writing is roughly 35402 USD, or they can further infect another 1,000 rigs to return use of the rig to the owner. According to the note, the malware can be spread by downloading a malicious firmware update that they have to apply to other mining rigs to further spread the ransomware. If neither the malicious firmware is spread nor the ransom paid the attacker will turn of the rigs fan and other measures designed to protect the rig from overheating and suffer a severe failure which can, in turn, result in a fire. It is not unheard of for rigs to ignite and cause severe damage.
There have not been any reports suggesting rigs have failed critically due to hAnt infection. This hopefully means that it is an empty threat. Researchers, however, have suggested that hAnt could theoretically abuse an overclocking feature in the Antminer firmware to overheat and compromise devices. What is perhaps more of a concern is that in the Yibenchain article mentioned above it was suggested that hAnt has worm-like components. If true this would mean that hAnt could spread laterally on its own increasing the number of infections. Currently, these capabilities cannot be confirmed as there is a general lack of technical data out there. It is hoped a full analysis of the ransomware is currently underway.
Anatova Also Stealing Headlines
Anatova infections have been reported in Belgium, Germany, France, and the UK. However, the large majority of reported infections have come from the US. The ransomware itself has a few interesting features with one of those being an anti-analysis component. This component once triggered under a specific set of conditions will embed a memory cleaning module in an attempt to prevent security researchers from analyzing samples.
Another interesting feature is the ransomware's modular architecture which suggests that the ransomware can also be used to distribute other forms of malware later one. This further suggests that whomever the malware author or authors are, they are highly skilled. Once the ransomware is launched it will ask for admin privileges, runs a few diagnostic checks and then encrypts files on the computer. The ransom note then demands 10 DASH coins, approximately 700 USD at the time of writing.
In a report released by McAfee analysis revealed that Anatova uses an icon for a game or an application to lure users into downloading it. Anatova may be one of the best examples yet of the next step in ransomware evolution. That being the inclusion of functions that take advantage of the full spectrum of monetization possibilities. This way, even if the victim does not pay the ransom, the criminals will still be able to make some money by stealing private and sensitive information or selling access to the compromised station.