Bitcoin (BTC) miners in China are in a bind after a ransomware by the name of ‘hAnt’ has been targeting specific mining rigs such as the Bitmain’s Antminer S9, T9 and L3. The ransomware has also found its way into Avalon rigs. The malicious code was first detected in August 2018. Up until now there is no clear source of origin. Some Chinese security experts suspect that hAnt comes hidden inside tainted versions of mining rig firmware that has been present online since last Summer.

hAnt functions like any other ransomware by encrypting the files belonging to the infected miner. This results in the rig halting mining operations for the files are inaccessible till the user abides by the demands of the code. When owners of the rig attempt to investigate the affected machines, the are presented by an image of an ant flanked by two pickaxes in green ASCII characters. The image is similar to the red skull screen displayed by the NotPetya ransomware.

When users click anywhere on the screen, a message in Mandarin and ‘imperfect’ English pops up. The English version of the message seen by BTC miners is as follows.

I am hAnt! I continue to attack your Antminer. As long as you spread the infected machine, my server verifies that there are 10 new IPs and the number of antminers reaches 1,000. I will stop attacking you! Otherwise I will turn off your antminer’s fan and overheat protection, which will cause you to burn your machine or will burn the house. Click the ‘Diwnload firmware patch’ button to download the firmware patch with your specific ID. Just update it to your normal Antminer to get infected. You can bring the machine that updated the patch to another computer room to complete the infection, or induce others to use the firmware patch in the network group. Or support 10 BTCs, I will stop attacking.

Either Pay 10 BTC or Spread the Ransomware

In a nutshell, the ransomware gives two options: pay up or spread the code. Otherwise, it will turn off the antminer’s fan causing overheating and subsequent destruction of the machine.

Incidents of hAnt Spreading on Its Own

There has also been some incidents of the ransomware spreading on its own to mining equipment connected to the same network. An executive from BTC.com claimed that it infected 4,000 devices within minutes.

Current Solution

The only solution that has been effective so far is to re-flash the infected mining equipment’s SD card and install clean firmware. Users are also being advised to download firmware directly from the original manufacturer of the rigs and not other download sites.