Ransomware Hit ATM Giant Diebold Nixdorf

In an open-source news flash today, the FBI, through its Infragard Partnership, and citing krebsonsecurity.com, said that Diebold Nixdorf, a provider of automatic teller machines (ATMs) and payment technology to banks and retailers, recently suffered a ransomware attack that disrupted some operations.

Krebs on Security, known for frequently breaking the news of security breaches, said, “According to Diebold, on the evening of Saturday, April 25, the company’s security team discovered anomalous behavior on its corporate network. Suspecting a ransomware attack, Diebold said it immediately began disconnecting systems on that network to contain the spread of the malware.”

The Infragard excerpt stated, “The company [Diebold Nixdorf] says the hackers never touched its ATMs or customer networks, and that the intrusion only affected its corporate network. An investigation determined that the intruders installed the ProLock ransomware, which experts say is a relatively uncommon ransomware strain that has gone through multiple names and iterations over the past few months; until recently ProLock was better known as “PwndLocker.” 

Diebold claims it did not pay the ransom demanded by the attackers, although the company wouldn’t discuss the amount requested. The ransom demanded [from] ProLock victims typically ranges in the six figures, from $175,000 to more than $660,000 depending on the size of the victim network. As luck would have it, Emsisoft does offer a tool that fixes the decryptor so that it properly recovers files held hostage by ProLock, but it only works for victims who have already paid a ransom to the crooks behind ProLock.”

When asked to contribute his unique perspective, Erich Kron, a well known and oft-quoted security expert with KnowBe4, replied, “This serves as a lesson that ransomware can impact organizations regardless of their size and technical stature. In this case, Diebold was fortunate enough to have segmented their network, limiting the damage to the corporate network and sparing the other critical network systems and impact to customers. 

Ransomware has not taken a break during the pandemic and has been active across industries, from pharmaceutical giants to municipalities, regardless of the impact on the public. For this reason, organizations need to ensure they are prepared for attacks such as this by training users to spot and report phishing attacks, the most common way ransomware spreads, and be ready with good endpoint protection and backups to help in the event the attack is successful.”

Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.