ATM Provider “Diebold Nixdorf” Suffered a ProLock Ransomware Attack

• “ProLock” threat actors have managed to wound Diebold Nixdorf’s internal network.
• The ATM maker suffered a disruption affecting its automated field services system.
• The ransom wasn’t paid, but it is unknown if the actors managed to steal files in order to apply pressure now.

Diebold Nixdorf, the largest provider of ATMs (automatic teller machines) in the United States, has suffered a ransomware attack that harms its operations. The attack happened on April 25, 2020, when the company’s IT team detected an anomaly on their network. They responded immediately by disconnecting systems to contain the spread of the ransomware. Still, the damage was high enough to cause business disruption for over a hundred customers of Diebold Nixdorf. The main field of operations affected by this incident was the “automated field service technical support” platform.

Diebold Nixdorf has provided the following statement to Krebs on Security:

“The incident did not affect ATMs, customer networks, or the general public, and its impact was not material to our business. Unfortunately, cybercrime is an ongoing challenge for all companies. Diebold Nixdorf takes the security of our systems and customer service very seriously. Our leadership has connected personally with customers to make them aware of the situation and how we addressed it.”

According to the details that emerged from the subsequent investigation, the malware tool that was used by the actors was “ProLock,” a pretty rare ransomware strain. Diebold claims to not having paid the requested ransom, which for ProLock victims typically ranges between $175,000 and $660,000. As an Emsisoft spokesperson commented, this is the right thing to do with ProLock infections anyway, as large database files are unlikely to be successfully restored with the provided decryptor and are irreversibly corrupted.

The actors moved against the ATM maker during the weekend, which is a choice meant to help increase the chances of success. IT teams are more likely to be overwhelmed during the weekend, being off guard and understaffed. The longer it takes for the network admins to notice the infection, the more extensive the damage will get.

The final aspect of the incident is the question of whether the “ProLock” actors have stolen any files from Diebold Nixdorf or not. We have seen this practice in previous attacks of the same group of hackers, so it’s not improbable that we’ll see files getting leaked on the dark web as a form of pressure. Besides making ATMs, Diebold Nixdorf is also providing PoS systems, banking equipment, and retail industry software and services. That said, targeting a firm that is present in 130 countries, employs over 23,000 people, and provides services to millions is to be expected these days.