Over 5,000 HPE iLO 4 Interfaces Hit By Ransomware

This article is about a recent ransomware threat that has hit thousands of Hewlett-Packard Enterprise Integrated Lights-Out 4 interfaces or HPE iLO 4 for short. These interfaces provide access to HP Enterprise servers and their remote control. The ransomware threat is encrypting the hard drives of the servers and then demanding Bitcoins as a ransom to restore the files within the drives. A security researcher that goes by the twitter handle @M_Shahpasandi has been the first to make the discovery of the attack.

What Is Hewlett-Packard Enterprise iLO and Related Interface?

iLO is a remote server management processor embedded on the system boards of Hewlett-Packard Enterprise ProLiant servers and Synergy compute modules. The management processor enables the monitoring and controlling of servers from remote locations. HPE iLO management is a powerful tool that provides multiple ways to configure, update, monitor, and repair servers remotely.

The iLO web interface groups similar tasks for easy navigation and workflow. The interface is organized in a navigational tree view. The top-level branches are Information, iLO Federation, Remote Console, Virtual Media, Power Management, Network, Remote Support, and Administration. In a nutshell, these interfaces provide administrative access to all servers which are under the command of the interface.

More Information About the Attacks Targeting HPE iLO 4

It seems that for now HPE iLO interfaces that have been hit by the ransomware threat are publicly accessible. Over 5,000 iLO-4 have been found to be exposed publicly as Shodan statistics show.


If HPE iLO interface is hit by the ransomware, the security banner will be changed. The altered Login security banner added by attackers states the following:

Security Notice

Hey. Your hard disk is encrypted using RSA 2048 asymmetric encryption. (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Berta Bilbao. Read the original post at: https://sensorstechforum.com/5000-hpe-ilo-4-interfaces-hit-ransomware/