Diebold Nixdorf has succumbed to a ProLock ransomware attack that is reported to have disrupted some operations.
First reported by Krebsonsecurity, the ransomware attack struck the company April 25 and affected services for more than 100 of the company’s customers. Diebold Nixdorf is the largest ATM provider in the US and holds an estimated 35% of the global cash machine market.
The company said the attack did not affect its ATMs, customer networks or the general public but did disrupt a system that automates field service technician requests.
An investigation into the attack found that those behind it had deployed ProLock ransomware, a form of ransomware previously known as PwndLocker until it rebranded itself in March after fixing a bug that allowed a free decryptor to be created. The ransomware encrypts files on a victim’s machine while adding .proLock to the file name.
Those infected are then asked to pay a ransom for a decryption key. The ransomware is distributed via malicious BMP files. The distribution path for the ransomware is not known.
Diebold Nixdorf said it did not pay the ransom but declined to discuss the amount requested. Previous ProLock and PwndLocker ransomware attacks have typically involved demands for payment in the six-figure range.
“This serves as a lesson that ransomware can impact organisations regardless of their size and technical stature,” says Erich Kron, security awareness advocate at security awareness training company KnowBe4. “In this case, Diebold was fortunate enough to have segmented their network, limiting the damage to the corporate network and sparing the other critical network systems and impact to customers.”
Many ransomware gangs have taken to stealing sensitive data from victims before launching the ransomware, as a sort of virtual cudgel to use against victims who don’t immediately acquiesce to a ransom demand.
Armed with the victim’s data — or data about the victim company’s partners or customers — the attackers can then threaten to publish or sell the information if victims refuse to pay up. Indeed, some of the larger ransomware groups are doing just that, constantly updating blogs on the Internet and the dark Web that publish the names and data stolen from victims who decline to pay.