Could This Crypto Ransomware Cripple China’s Bitcoin Mining Industry?


A crippling ransomware strain is targeting various models of bitcoin miners in China. | Source: Shutterstock

By China’s sprawling bitcoin mining industry is being targeted by a terrifying new ransomware strain that is threatening the economy of the Sichuan river basin where most mining farms are located, housing a huge percentage of the bitcoin blockchain’s hashpower.

First detected in August 2018, the ransomware which is called “hAnt” has been observed to target a wide variety of mining rigs including Bitmain’s Antminer S9, T9 and L3 and Avalon equipment.

Its initial method of introduction remains unclear at the moment, but it is its method of propagation that is especially concerning for an already fragile industry, pummelled by weak bitcoin prices and the threat of changing government policy on cheap hydroelectric power. Like conventional ransomware, hAnt encrypts a miner’s files and renders it unusable – a death sentence for a mining operation whose profitability depends on constant uptime. This is where it gets interesting.

“Bandersnatch” of Ransomware

Whereas ransomware typically makes a demand for a certain amount in crypto in exchange for decryption instructions, hAnt employs an especially pernicious tactic, effectively forcing victims to choose their own poison, a la “Bandersnatch”. When equipment owners connect to the affected rig to see what the problem is, they are presented with the following interface.


A click brings up the ransom prompt in Mandarin and halting English, which gives the user a choice between paying 10 BTC for decryption instructions. It carries the added threat infecting other mining rigs with a downloadable firmware update, which further propagates the spread of the ransomware.


In this way, the cybercriminals behind the scheme are able to create a revenue pipeline, knowing full well that not all miners can afford to pay the ransom, and some will inevitably choose the second option, which introduces the ransomware to a wider selection of miners who may be willing or able to pay the ransom.

In the event that the victim refuses to pay the ransom or spread the program, the note threatens to ruin the victim’s business by turning off the mining rig’s fan, which will lead to overheating and physical destruction of the delicate equipment. Thus far, there have been no confirmed reports of damaged equipment, which could either mean that the threat is empty, or that targeted victims are cooperating with the cybercriminals, which is even worse news., a mining farm in the area confirmed the existence of hAnt to ZDNet, claiming that over 4,000 rigs were infected within minutes, which some see as evidence that the ransomware can spread out across a network of devices on its own.

In order to forestall the spread of hAnt and other ransomware, users have been advised to download firmware exclusively from their original equipment manufacturers while cybersecurity experts analyse and attempt to get the better of this latest critical threat.

Hat tip to ZDNet.

Last modified: March 4, 2021 2:53 PM
I am a busy Nigerian writer, journalist and writer with an interest in tech and finance. When I'm not contributing to CCN and traveling around Africa, you can catch me contributing to CNN Africa, or in the writers room at 'The Other News', Nigeria's weekly answer to 'The Daily Show' with nearly 2 million viewers. My work on 'The Other News' was featured in the New Yorker Magazine, and that was then cited in the Washington Post so I'm not sure that counts as a feature but I'll definitely mention it too! I have been nominated by the US State Department to take part in the 2019 Edward R. Murrow Program for journalists under the International Visitors Leadership Program. I also like hamsters. You can reach me on Twitter at _David_Hundeyin
Previous PG&E Shares Spike in After Exoneration from California Wildfires Next Nasdaq Just Gave its Biggest Nod to Cryptocurrency Yet