HPE iLO Ransomware
PC security researchers started paying attention to the HPE iLO Ransomware, an encryption ransomware Trojan, after an attack on April 25, 2018. Server administrators reported an attack involving the HPE iLO Ransomware, which caught the attention of malware researchers due to the way that it compromises servers that utilize the iLO (Integrated Lights-Out) services. This functionality, which allows efficient remote control of a server, has allowed the con artists to exploit it to carry out ransomware attacks.
Table of Contents
How the HPE iLO Ransomware Attack is Carried Out
The people associated with the HPE iLO Ransomware will scan the Web for servers that employ integrated HPE iLO functions and used brute force attacks to obtain the login credentials. Some PC security researchers have speculated that iLO firmware combined with weak security measures allowed the con artists to gain access to servers that are accessible online. Once access was gained by guessing the login credentials for the targeted server, the cyber crooks gained administrative access to any attached memory devices. The HPE iLO Ransomware was then used to lock access to the drives on the infected servers. The attackers caused the affected servers to display a 'Security Login Banner' on the affected iLO card, which delivered the following message to the victims of the attack:
'Security Notice
Hey, Your hard disk is encrypted using RSA 2048 asymmetric encryption. To decrypt files you need to obtain private key.
It means We are the ones in the world to recover files back to you. Not even god can help you. Its all math and cryptography.
If you want your files back, Please send an email to15fd9ngtetwjtdc@yopmail.com.
We don't know who are you, All what we need is some money and we are doing it for good cause.
Don't panic if we don't answer you during 24 hours. It means that we didn't received letter and write us again.
You can use one of that bitcoin exchangers for transfering bitcoin.
h[tt]ps://localbitcoins[.]com
h[tt]ps://www.kraken[.]com
Please use english language in your letters. If you don't speak english then use h[tt]ps://translate.google[.]com to translate your letter on english language.
Process:
1) Pay some BTC to our wallet address.(negotiations almost impossible unless you are russian citizen)
2) We will send you private key and instructions to decrypt your hard drive
3) Boom! You got your files back.'
There is nothing to differentiate the tactics used by the HPE iLO Ransomware to carry out attacks from the encryption ransomware attacks used against individuals, except perhaps for the profile of the targets.
The HPE iLO Ransomware’s Ransom Demands
The HPE iLO Ransomware will force the servers to reboot during the attack, before displaying the ransom note. Attempting to boot the affected servers results in 'No boot device found' errors, meaning that the victim's files will be locked until the ransom is paid. Due to the extent of the damage, the con artists demand a large ransom, 2 Bitcoins, which is nearly 20,000 USD at the current exchange rate. It is likely that the people associated with the HPE iLO Ransomware attacks may be based in Russia since the message claims that Russians can negotiate the ransom price, and the con artists based in this country have shown a history of avoiding attacking other Russian citizens.
Dealing with the HPE iLO Ransomware
It is clear that the HPE iLO Ransomware is not intended to be a problem for regular computer users. The HPE iLO Ransomware attacks seem to have been designed to target servers and server administrators specifically, to take advantage of the HPE iLO vulnerability. Since most reputable server administrators will have backup images of their servers with adequate security protections, most of the HPE iLO Ransomware attacks have been thwarted by wiping the affected servers and then restoring the data from a backup. Although a lengthy process, this is the best way to deal with these threats: having file backups that should be used to restore the data.
