Attackers are targeting Internet accessible HPE iLO 4 remote management interfaces, supposedly encrypting the hard drives, and then demanding Bitcoins to get access to the data again. While it has not been 100% confirmed if the hard drives are actually being encrypted, we do know that multiple victims have been affected by this attack since yesterday.

HPE iLO 4, otherwise known as HPE Integrated Lights-Out, is a management processor built into certain HP servers that allow administrators to remotely administer the device. Administrators can connect to the iLO using a web browser or mobile app, where they will be greeted with a login page as shown below.

Normal HPE iLO 4 Login Page

Once logged in an administrator can access logs, reboot servers, see server information, and more. What's even more powerful, though, is the ability to get a remote console to the server, which provides full access to the operating system shell that is currently accessible. For this reason, you should never connect an iLO device directly to the Internet and instead require access only through a secure VPN.

The HPE iLO 4 Ransomware

Today security researcher M. Shahpasandi posted a screenshot of an HPE iLO 4 login screen that contained a "Security Notice" stating that the computer's hard drives were encrypted and that the owners would have to pay a ransom to get the data back.

iLO 4 Ransomware

Source: Twitter

This security notice was added through the iLO 4 Login Security Banner configuration setting. This setting is found under Administration->Security->Login Security Banner as shown below.

Login Security Banner Section

This modified Login security banner added by the attacker states:

Security Notice Hey. Your hard disk is encrypted using RSA 2048 asymmetric encryption. To decrypt files you need to obtain the private key. It means We are the only ones in the world to recover files back to you. Not even god can help you. Its all math and cryptography . If you want your files back, Please send an email to 15fd9ngtetwjtdc@yopmail.com. We don't know who are you, All what we need is some money and we are doing it for good cause. Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again. You can use of that bitcoin exchangers for transfering bitcoin. https://localbitcoins.com https://www.kraken.com Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language. Process: 1) Pay some BTC to our wallet address.(negotations almost impossible unless you are a russian citizen) 2) We will send you private key and instructions to decrypt your hard drive 3) Boom! You got your files back.

After speaking to a victim of this attack and being given logs, this is how the attack appears to be conducted:

Attackers gain access to the iLO

They enable the Login Security Banner in order to display the ransom note.

They mount a remote ISO using the virtual media manager

Reboot server

Application on mounted virtual CD encrypt/wipe drive.

Servers reboot again

On reboot, the server will no longer be able to access the operating system and will instead display the dreaded "No boot device found" error.

According to the victim, the attackers are demanding 2 bitcoins to gain access to the drives again. The attackers will also provide a bitcoin address to the victim that should be used for payment. These bitcoin addresses appear to be unique per victim as the victim's was different from other reported ones.

An interesting part of the ransom note is that the attackers state that the ransom price is not negotiable unless the victim's are from Russia. This is common for Russian based attackers, who in many cases tries to avoid infecting Russian victims.

Finally, could this be a decoy/wiper rather than an actual true ransomware attack? Ransomware attacks typically provide a unique ID to the victim in order to distinguish one victim from another. This prevents a victim from "stealing" another victim's payment and using it to unlock their computer.

In a situation like this, where no unique ID is given to identify the encrypted computer and the email is publicly accessible, it could be a case where the main goal is to wipe a server or act as a decoy for another attack.

HPE iLO 4 should never be connected directly to the Internet

Exposing a remote administration tool like iLO 4 to the Internet is never a good thing to do. These tools should only be accessible via secure VPNs in order to prevent them from being scanned for and accessed by anyone on the Internet.

The danger of exposing iLO to the public is further compounded when their are known vulnerabilities in older versions that would allow an attacker to bypass authentication, execute commands, and add new administrator accounts. Scripts that exploit these vulnerabilities are also readily available.

Finding connected iLO interfaces is also trivial. A quick search on Shodan shows that over 5,000 iLO 4 devices are connected to the Internet, with many of them being known vulnerable versions.

If you are currently using iLO 4 in your HP Servers and are running an older version, make sure to upgrade to the latest firmware. Then check the administrative accounts to determine if any were created without your knowledge. Last, but not least, make sure that your iLO IP address is not accessible via the Internet and only through a VPN. Otherwise, you are just asking for trouble.



Updated 4/26/18: Added further information after speaking to one of the victims.