HPE iLO Ransomware
The HPE iLO Ransomware is a file-locker Trojan that attacks systems running Integrated Lights-Out, a proprietary server manager. Besides deleting or encrypting data, the HPE iLO Ransomware also hijacks the default iLO login banner for displaying its ransoming message, which asks for Bitcoins for restoring your files. iLO systems never should experience direct, unprotected exposure to the Internet, but any users requiring disinfection should remove the HPE iLO Ransomware with conventional anti-malware technology.
Lights out on Your Server's Files
An active and robust campaign of taking files hostage in return for money is attacking business, NGO and government server systems around the world. The responsible threat, the HPE iLO Ransomware, employs a payload highly specific to the HP's proprietary server management product, Integrated Lights-Out, and is already active in significant numbers within Asia, North America and Europe. Because the HPE iLO Ransomware hijacks the system's restart process, it also eliminates any interactivity with the UI controls.
The HPE iLO Ransomware is using what malware experts are estimating to be an RSA-based encryption method for locking documents, spreadsheets, images, and other files throughout multiple servers. The full extent of the data loss isn't verifiable and may include the irreversible corruption or deletion of media. When it finishes this attack, it subverts the Login Security Banner (a default feature of iLO) for displaying its ransoming message, which appears whenever the admin tries to log in.
The HPE iLO Ransomware's message blocks any access to the rest of the iLO interface and displays a set of instructions for paying two Bitcoins for restoring your media. The threat actors are using separate payment addresses per infection, as well as providing different negotiating details for Russia-based victims, which suggests that they're avoiding the attention of the Russian law enforcement intentionally.
Illuminating an iLO Trojan's Campaign
Since malware experts can't verify a working decryptor, the viability of recovering any files that the HPE iLO Ransomware locks is theoretical. Furthermore, the absence of a client-specific ID implies that the threat actors have little interest in providing a decryption service to their victims, instead of taking the Bitcoin payments and ignoring all further communications. Just like any other PC, iLO-managed servers should protect their data with additional, secure backups that threats like the HPE iLO Ransomware can't harm.
Malware researchers recommend against giving iLO-based systems any unprotected, direct connection to the Internet since doing so enables significant exploitation by a remote attacker. At a minimum, using a Virtual Private Network (or VPN) can reduce an iLO system's vulnerability to hijacking. While it's not yet known how the HPE iLO Ransomware's campaign handles its installation, the con artists gain access to a server by other means, such as a brute-force tool, before installing the file-locking Trojan themselves. With a lack of outside interference, standard anti-malware programs should delete the HPE iLO Ransomware by default, like other Trojans of its type.
iLO is one of many brands of server management software that include vulnerabilities that the con artists could put to work for themselves. Administrators should stay informed about the
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.