Watch out! This Bitcoin ransomware is targeting Chinese mining companies

China’s massive bitcoin mining industry is becoming the target of a terrifying new ransomware that threatens the economy of the Sichuan River Basin, where most mining farms are located and a large percentage of the bitcoin blockchain’s hashpower.

First detected in August 2018, the ransomware, dubbed “hant,” targets a variety of mining rigs, including Bitmain’s Antminer S9, T9 and L3, as well as Avalon devices.

Its initial introduction method is currently unknown, but its method of spreading is particularly focused on already vulnerable industries, threatened by weak Bitcoin prices and government policy changes to cheap hydropower. Like traditional ransomware, hAnt encrypts miners' files, rendering them unusable - a death sentence for mining operations. Its profitability depends on constant uptime, and this is where it gets interesting.

• Ransomware's "Bandersnatch"

While ransomware typically requires a certain amount of encryption in exchange for decryption instructions, hAnt employs a particularly pernicious tactic that effectively forces victims to choose their own poison, known as "Bandersnatch." When device owners connect to an affected rig to see what the problem is, the following interface is displayed.

△The picture comes from a blockchain

Clicking on it will display a ransom note in Chinese and English, where users can choose to pay 10 BTC for decryption instructions. It brought additional threats, infecting other mining rigs through downloadable firmware updates, which further spread the ransomware.

△The picture comes from a blockchain

In this way, the cybercriminals behind the scheme are able to create a revenue channel, knowing full well that not all miners can afford to pay the ransom and that some will inevitably choose the second option, introducing the ransomware to a wider range of miners who may be willing or able to pay the ransom.

In this way, the cybercriminals behind the scheme were able to create a revenue pipeline, knowing full well that not all miners will be able to pay the ransom and some will inevitably choose the second option, which will introduce ransomware to those miners willing to pay the ransom.

If the victim refuses to pay the ransom or spread the program, the note could disrupt the victim's business by shutting down the mining machine fans, causing overheating and physical destruction of the delicate equipment. So far, there have been no confirmed reports of equipment damage, which could mean the threat was empty or that the intended victim is working with the cybercriminals, which is worse news.

BTC.top, a mining farm in the region that confirmed its existence to ZDNet, claims that more than 4,000 rigs were infected in a matter of minutes, with some suggesting the ransomware can spread on its own through a network of devices.

To prevent the spread of HANT and other ransomware, users are advised to download firmware only from OEMs while cybersecurity experts analyze and try to better exploit this latest serious threat.