HPE iLO 4 Encryption – Is it a Ransomware Attack or a Decoy?

Ransomware attackers are now targetting the HPE iLO4 remote interfaces that can be accessed by the internets. It’s been a while that we have heard of the ransomware attacks, and this news is now hitting the digital world, hard. For years, we have known that HPE iLO4 is used to encrypt our hard drives, which is why the hackers are now after them. They are demanding the Bitcoins as ransom in order to release the data. While this encryption of hard drives is not actually confirmed, there are people who have been suffering from this attack since yesterday.

What is HPE iLO 4?

HPE iLO 4, also known as the HPE Integrated Lights-Out 4 technology is a processor that is built in the HP servers. It allows the administrators to administer a device while they can connect to the iLO through the web browser or the mobile browser.

HPE iLO Remote Management Interfaces Hit by Ransomware

Once they log in, they are greeted with a login page. Here, one can access the servers, the logs, the reboot servers and other information as well. What makes it even more powerful is the ability through which one can get a console on the server that provides access to the operating systems.

The news has hit us through Twitter & Bleeping Computer, when the profound security researcher, M. Shahpasandi has tweeted about this with a screenshot of the HPE iLO 4 login that contained a security notice. Here, he tells that all the hard drives are actually encrypted and that the owners should actually pay the bitcoin ransom to the attackers in order to acquire their data back.

This security notice is actually added to the iLO 4 login and is found under Login Security Banner section at Administration>Security. It is yet unknown if the notice is actually a deal or a tactic used by the attackers in order to panic the victims for the payment. However, based on the public email address; it is known that around 9 people are trapped and that all of them are restrained from accessing their data.

HP iLO 4 Login Security Banner Section

Later, Mr. Shahpasan also tweeted that all of these attackers are demanding around 2 Bitcoins from each of the victims and that all of them should be sent to 19ujGd4zqwoHitT2D1hF3BVf73vYVCvxcm in order to get the decryption key. While no payments have been made to the Bitcoin address, the most interesting thing is that the attackers attached a note that says the price is negotiable.

Here’s what the security notice states:

Security Notice

Hey. Your hard disk is encrypted using RSA 2048 asymmetric encryption. To decrypt files you need to obtain the private key.
It means We are the only ones in the world to recover files back to you. Not even god can help you. Its all math and cryptography.
If you want your files back, Please send an email to 15fd9ngtetwjtdc@yopmail.com.
We don’t know who are you, All what we need is some money and we are doing it for good cause.
Don’t panic if we don’t answer you during 24 hours. It means that we didn’t received your letter and write us again.
You can use of that bitcoin exchangers for transfering bitcoin.
Please use english language in your letters. If you don’t speak english then use https://translate.google.com to translate your letter on english language.

1) Pay some BTC to our wallet address.(negotations almost impossible unless you are a russian citizen)
2) We will send you private key and instructions to decrypt your hard drive
3) Boom! You got your files back.

This Ransomware Attack is Now Spreading Fast!

Affected Users due to Ransomware attack on HPE iLO

As you can clearly see from the above image that there are thousands of users who are being affected by this Ransomware attack. The worst case in this is the ransom amount is almost 2 Bitcoins which is huge as compared to what was demanded during the WannaCry attack or Petya Ransomware attack!

Highly affected countries are the United States, Hong Kong, Germany, China and the United Kingdom. Till date, 16,456 users are affected and this is something to worry now!

Based on the history, this kind of alarming has been done by the Russian attackers. That said, the question here remains, ‘Is this a real ransomware attack or a decoy who is trying to gain some bitcoins?’. Let’s wait and see. If you are a victim of any Ransomware, you can check our detailed list of Ransomware decryptors and save your data & money both! 🙂

You might also like More from author

Comments are closed.