Antminer, the world’s leading Bitcoin mining rig brand, has released a guide to defend against the cryptojacking haunting its user base in China for months long, after ten days 8btc shed light on the new ransomware.

Named hAnt, the new ransomware strain was first observed in August of last year, but a new wave of massive infections has been reported hitting mining farms particularly in China earlier this month.

Affected mining rigs can either pay a 10 BTC ransom or download a malicious firmware update that they have to apply to other mining rigs to further spread the ransomware.

Most of the infected mining rigs are Antminer S9 and T9 devices for bitcoin mining, and there have also been reports of hAnt infecting Antminer L3+ which is used for mining Litecoin. In rare instances, Avalon miners were also reported as hacked, but in much smaller numbers. Though it is unclear how many miners have been infected, industry insiders claimed it could infect over 4,000 devices within minutes.

The incident sparked somewhat of a fury among miners. Many claimed that

Antminer should be providing a patch to secure against this instead of blaming it on unofficial firmware updates and leaving the equipment owners hanging in the wind.

While some refuted that

It was those equipment owners to blame for they were trusting strangers with their money. As the devices were believed to be infected through miners’ downloading overlocking firmware with anonymous sources.

As the prolonged hack became heatedly talked about among miners, and also considering the virus’ infectious nature, Antminer released an official announcement.

According to the analysis and investigation conducted by Antminer, most infections were caused by users’ visiting suspicious websites and downloading third-party firmware. For those mining farms that are unaware of the infection, if any, Antminer lists four symptoms to identify the traces of virus, including:

1. The miners registered with the mining pool are tampered with by unknown entities;
2. The management dashboard fails to update the firmware when requested. The infected system will show a countdown of 120 seconds in the middle of the page but freeze on the spot;
3. Unauthorized changes of password leave the owner no access to the dashboard;
4. Scores of mining rigs stop generating hashpower while both the hardware and Internet are operating as normal.

The company also provides four pre-caution methods for mining farm owners:

1. Avoid accessing the unauthorized websites;
2. Do not download and use third-party firmware (In particular, overlocking firmware for S9 and T9+). The Antminers after-sales support department draws a line here, and whoever crosses the line claims all liabilities incurred;
3. Frequent changes of password is appreciated;
4. Reboot second-hand mining rigs and mining devices which have undergone maintenance in unofficial sites, and later, a change of password shall follow.

For those who have unfortunately fallen victim to the hackers, Antminer suggests three measures to take before consulting a franchised maintenance shop:

1. Quarantine infected mining rigs after a comb through all the equipment, which cuts off the possible medium for virus to spread;
2. Format the SD card of the infected miners, which is somewhat similar to re-installing an operating system;
3. A change of password is due as the first thing following the formatting.

The last resort, as exactly suggested at the end of the announcement, is always “to report to the Antminer After-Sales Support.”

The most part of this guide is the same with the security alert issued by the company two months ago when the hack was still in its early stage. The virus has so far been evolving into many variants, the latest variant can even monitor miners change their passwords and record the new ones. If such, the steps above would be all in vain, which leads some to ponder the root cause of all this, the overlocking firmware? A Reddit user argued,

“…If it can be overclocked then users should have a right to overclock it. The company is forcing users to use unverified software if they want to use the machine (that they own) to its fullest potential…”