Hpe Ilo Ransomware Attacks HPE Interactive Lights-Out 4 Servers

A “Security Notice” shown as the login banner on the HPE Interactive Lights-Out 4 interface indicates that a malicious infection, known by the name Hpe Ilo Ransomware has found its way in. Although it is not yet known how exactly this threat proliferates, it is speculated that those who set up direct access to the Internet – instead of connecting via a secure VPN – are at greater risk of facing the malware. It is known that at least two specific vulnerabilities (CVE-2013-4786 and CVE-2017-12542) are targeted at the remote management system. iLO provides out-of-band management facilities, and it makes it possible to access HP servers remotely. With this access, administrators can turn on and reset severs, mount CD/DVD drives and images, as well as access the Integrated Management Log. At the moment, iLO 5 is the latest version, and Hpe Ilo Ransomware specifically affects iLO 4.


Unlike most other well-known ransomware infections, Hpe Ilo Ransomware is not targeted at random users. It focuses solely on iLO. The creator of the infection has managed to exploit known vulnerabilities (maybe one of the aforementioned ones) or direct access to the Internet, which indicates the carelessness of iLO users. If updates are installed in time to patch vulnerabilities, and secure connections are set up, malware like Hpe Ilo Ransomware cannot slither in. Unfortunately, this infection has proven that security backdoors exist. When the threat attacks, it silently enables Login Security Banner to show a ransom note, which is the “Security Notice.” The server is then rebooted, and data is wiped. Although the ransom note indicates that data is encrypted and that it is possible to decrypt it, it is more likely that the infection wipes the server’s drives instead. If that happens, there is no turning back, unless backups exist.

The ransom note supporting Hpe Ilo Ransomware is pretty straightforward: One needs to pay a ransom to obtain a decryption key that, allegedly, is the only thing that can recover corrupted data. First and foremost, if data is, in fact, wiped, no decryptor can assist. Regardless, the threat informs that the hard disk was encrypted using the RSA-2048 encryptor, and that the victim must contact the creator of the ransomware via 15fd9ngtetwjtdc@yopmail.com. If the victim emails this address, they should be provided with a Bitcoin address (apparently, a unique one for every victim) and a specified sum as the ransom. It appears that the 2 BTC ransom (at the moment, 2 bitcoins convert to 14,700 US Dollars) is the size that is most common, but it would not be surprising if it could be adjusted. Speaking of ransom sizes, the “Security Notice” mentions one strange thing: “negotiations almost impossible unless you are russian citizen.” It appears that the creator of Hpe Ilo Ransomware is either afraid or fond of Russian iLO users.

The ransom requested by Hpe Ilo Ransomware is extreme, and not all victims might be even capable of paying it. Even if money is not an issue, it is important to consider the fact that data might be impossible to recover, in which case, sending thousands of Dollars straight into the pocket of cyber criminals simply makes no sense. In the best case scenario, the data stored on the affected drives is backed up outside, and it is enough to remove Hpe Ilo Ransomware components. That is not all that should be done. Although this ransomware might be the first “encryptor” to target HPE iLO systems, it might not be the last one. Therefore, appropriate security measures must be taken immediately.

One of the security vulnerabilities – CVE-2017-12542 – known to affect HPE iLO users was patched in August 2017. This means that this update has been available for almost a year now. Surprisingly, some users manage to skip updates, and that is risky business because systems with known vulnerabilities are always the ones targeted by cyber criminals. This specific vulnerability affects HP iLO 4 servers with versions 2.53 and earlier. Unfortunately, new vulnerabilities are frequently found, and so not a single update should be skipped. Backing up data outside of the server is extremely important too because, in the event of data being wiped or encrypted, you want to have a backup.