The hAnt Ransomware is a ransomware Trojan, designed to take victims' computers hostage and then demand a ransom payment to rehabilitate access to the affected computer. The hAnt Ransomware differs from most ransomware Trojans due to its intended targets. The hAnt Ransomware is mainly designed to target the computers used for mining Bitcoin and other digital currency. The hAnt Ransomware attacks were reported by the owners of Bitcoin farms located in China, which were infected with the hAnt Ransomware in January 2019. It is likely that the criminals distributing the hAnt Ransomware take advantage of corrupted mining system firmware to gain access to the victims' computers. Once they have gained access, a worm that grants them access to other devices located on the infected computer's network is uploaded. Using these tactics, the criminals can infect thousands of computers in a very short period.
What are the Consequences of an hAnt Ransomware Attack
The hAnt Ransomware's main targets are the computers with models T9 and Antminer S9, dedicated devices designed for mining Bitcoin. Malware researchers also have observed Avalon Miner systems being targeted by the hAnt Ransomware, although the extent of these attacks is less than the other systems. The hAnt Ransomware attack works by locking the infected computer as soon as the hAnt Ransomware is activated. Once the hAnt Ransomware has been installed, it creates a lock screen. This screen shows an ant, two pickaxes, and a screen of green ASCII symbols. Interacting with the infected computer generates a message of red text over a black background. This is the hAnt Ransomware ransom note, which alerts the victim of the attack and demands a ransom payment. The hAnt Ransomware ransom demand is written in English and Chinese and contains the following text:
'I continue to attack your antminer. As long as you spread the infected machine, my server verifies that there are 10 new IPs and the number of antminers reaches 1000. I will stop attacking you! Otherwise I will turn off your antminer's fan and overheat protection, which will cause you to break your machine or will stop the income.
Click the "Download firmware patch" button to download the firmware patch with your specific ID. Just uplaod it to your normal antminer that got infected.
You can bring bring the machine that updated the patch to another computer to complete infection or introduce others to the firmware patch in the network group.
Or support 10 BTCs, I will stop attacking.'
The criminals responsible for the hAnt Ransomware demand payment of 10 Bitcoin (approximately 35,000 USD at the current exchange rate) or that 1000 more devices should be infected to unlock one computer. The criminals also threaten to disable the overheat protection on the infected computers, which would render them unusable permanently. Although it is unlikely that the criminals are capable of doing this, it is possible in theory.
Recovering from an hAnt Ransomware Attack
Most Bitcoin farming operations have reacted to the hAnt Ransomware attacks by wiping the affected devices and reinstalling the mining software to restore them to full capacity. Computer users must avoid interacting with the criminals responsible for the attack and take these measures to restore their devices. In the long run, the hAnt Ransomware seems to be little more than a nuisance, although responsible for lost revenue, it is unlikely that the criminals are likely to obtain their stated ransom demand unless new features are introduced into the hAnt Ransomware attack or the extent of the attack is expanded. The hAnt Ransomware infection relies on the criminals having access to the devices and installing a worm component, meaning that wider computer security measures are necessary to prevent these attacks in the first place.