ATM Manufacturer Diebold Nixdorf Hit With RansomwareCompany Says April Attack Caused 'Limited IT Systems Outage'
Diebold Nixdorf, one of the largest makers of ATMs, says it sustained a ransomware attack on April 25, but it reports that it experienced only a "limited IT systems outage" and ATM machines were not affected.
The company, law enforcement officials and a third-party security firm are continuing an investigation, a spokesperson for the North Canton, Ohio-based firm tells Information Security Media Group.
"Our company recently experienced a limited IT systems outage caused by a ransomware attack," the spokesperson tells ISMG. "Once we discovered the issue, we quickly restored service to key affected systems. We also immediately engaged a leading cybersecurity firm and informed law enforcement. The incident did not affect ATMs, customer networks, or the general public, and its impact was not material to our business."
Diebold Nixdorf, which sells ATMs as well as point-of-sale devices, physical security products and software used by retail and financial firms, declined to offer more details, including the ransomware strain involved, whether any data was encrypted and whether the company had been in communications with the attackers.
Security blogger Brian Krebs first reported the ransomware attack on Monday. Citing a source, Krebs reports that the while the attack was contained by the Diebold Nixdorf’s IT and security teams, the ransomware attack affected services for about 100 of its customers.
Krebs also reports that the company was hit by a ransomware strain called ProLock, which is more often referred to as PwndLocker.
The PwndLocker crypto-locking malware was first spotted by security researchers in late 2019, and its operators have hit victims ranging from an Illinois county to a Serbian city. It's been reported that the gang's ransom demands have ranged from $175,000 to more than $660,000, with payment requested in bitcoin (see: PwndLocker: Free Decryptor Frees Crypto-Locked Data).
In March, the operators of PwndLocker changed the name of their malware to ProLock after security firm Emsisoft released a free decryptor tool to help victims unlock their files and recover their data.
Krebs reports that Diebold Nixdorf did not pay a ransom. Fabian Wosar, Emsisoft's CTO, tells ISMG refusing to pay a ransom is the right decision because the cybercriminals’ decryptor tool does not work as advertised and will only cause more issues for a company after the ransom is paid and the victim receives the decryption key.
"That's because current versions of ProLock’s decryptor tool will corrupt larger files such as database files," Wosar says.
In another recent ransomware attack, mailing equipment manufacturer Pitney Bowes disclosed that it was recently targeted by the operators behind Maze variant (see: Pitney Bowes Battles Second Ransomware Attack)
And the Texas Office of Court Administration, which provides IT support for appellate courts and state judicial agencies within the Texas Judicial Branch, announced that a ransomware attack forced the staff to disable the branch network, including websites and servers, to stop the malware from spreading. This incident remains under investigation, although officials do not believe that any sensitive data was compromised.
Managing Editor Scott Ferguson contributed to this report.