Ransomware with a difference: “Derestrict your software, or else!”

Just over a year ago, graphics card behemoth Nvidia announced an unexpected software “feature”: anti-cryptomining code baked into the drivers for its latest graphics processing units (GPUs).

Simply put, if the driver software thinks you’re using the GPU to perform calculations related to Ethereum cryptocurrency calculations, it cuts the execution speed of your code in half.

This restriction isn’t meant to protect you from yourself, for example to limit hardware damage if you try to drive the GPU too hard and cause it to overheat dangerously.

This is all about managing supply and demand.

Unfortunately for keen gamers, who love powerful GPUs because they improve their gaming experience with faster and more realistic graphics, cryptocurrency mining syndicates love good GPUs even more.

That’s because GPUs greatly accelerate the mining of Ethereum-based cryptocurrencies, with calculation speeds (or hashrates, as they are known in the jargon) anywhere from five to ten times higher than a normal CPU from the same amount of electricity.

Even more unfortunately for gamers, who might buy one or two GPUs each at a time, mining syndicates use their purchasing power to buy up GPUs in bulk.

This, in turn, encourages scalpers to buy in bulk too, aiming to sell their “second hand” cards well above new retail prices when official supplies run out.

Nvidia decided to appease its many avid gaming fans – surely the company’s most loyal long-term GPU customers, given that they actually want graphics cards for doing graphics – by splitting its processor card line in two.

Mining XOR Gaming

As Nvidia said last year:

To address the specific needs of Ethereum mining, we’re announcing the NVIDIA CMP [Cryptocurrency Mining Processor] product line for professional mining. CMP products, which don’t do graphics, are [… ]optimized for the best mining performance and efficiency. They don’t meet the specifications required of a GeForce GPU and thus don’t impact the availability of GeForce GPUs to gamers.

The idea is that GeForce GPUs run at full speed if used for graphics, but if used for Ethereum mining are deliberately hobbled by Nvidia’s Lite Hash Rate system, or LHR for short.

Public opinion at the time of the announcement was sharply divided, as a quick look at the many comments on last year’s article will reveal.

Naked Security readers reacted in many ways.

A gamer called Trillian said, “Good on Nvidia!”

Others claimed this LHR behaviour was unfair because they used their GPU cards for a mix of gaming and mining (intermingled, intriguingly, with comments from readers who claimed those claims were made up).

And a commenter called J Riley Castine was even more critical, wanting to know, “How is such a move […] not a violation of anti-trust laws?”

Exit light, enter night

Well, it looks as though this year-old community divide over LHR has spilled over into outright cybercrime.

Popular technology website Tom’s Hardware, amongst numerous other commenters, is reporting that cybercrime gang Lapsus$ claims to have hacked Nvidia and stolen a terabyte’s worth of data…

…only to issue what amounts to an unusual ransomware demand: Remove the Lite Hash Rate limiter, or else!

According to an IM screenshot posted by Tom’s Hardware, the alleged hackers wrote:

Hello,

We decided to help mining and gaming community, we want nvidia to push an update for all 30 series firmware that remove every lhr limitations otherwise we will leak hw folder.

If they remove the lhr we will forget about hw folder (it’s a big folder) We both know lhr impact mining and gaming.

Thanks.

The hw folder (hw is short for “computer hardware”) alluded to above is the claimed 1TB of allegedly stolen data, apparently including card schematics, driver and firmware code, internal documentation, and more.

Ironically, in the same message thread, these hackers also claim to be selling their own “LHR unlocker” for some Nvidia cards, although the underground market for such a cracking tool would clearly evaporate if Nvidia were to remove the LHR restrictions for everyone.

Perhaps the alleged existence of this darkweb LHR unlocker is supposed to make Nvidia feel even more pressurised, on the grounds that an LHR bypass could be made public anyway, so the company might as well go along with the blackmail demand?

What to do?

It’s hard to know what to believe when messages of this sort start circulating.

Did the hackers actually get in to start with? Did they really manage to steal the information they’re claiming? Was this a conventional ransomware attack, aiming at both stealing and scrambling data for extra leverage? If so, and we therefore assume that the data scrambling part was thwarted, why should we believe any of the boasts in the messages? Do the crooks really have an LHR unlocker of their own to add to the drama?

We may never know the answers to these questions, but we can learn from the allegations anyway, which reiterate the importance of defence-in-depth.

Defence-in-depth not only involves multiple layers of proactive protection aimed at early threat detection and prevention, but ideally also needs ongoing threat assessment and response, in order to figure out what really happened if anomalies are detected.

As the self-styled Nvidia hackers say:

We were into nvidia systems for about a week, we fastly escalated to admin of a lot of systems. We grabbed 1TB of data.

Whether that’s is true or not in this case, it does describe the nature of many modern cyberattacks, which aren’t simply automated “smash, gran and run” sallies any more.

Modern cyberintrusions typically involve human-led network exploration, privilege escalation, and data exfiltration, often over an extended period.

Intruders with administrator powers often introduce backdoors along the way, or add extra network accounts for themselves, thus giving themselves a quiet and easy way back in next time…

…if you don’t take the trouble to seek-and-destroy the boobytraps they left behind this time.


Learn more about Sophos Managed Threat Response here:
Sophos MTR – Expert Led Response  ▶
24/7 threat hunting, detection, and response  ▶


go top