Big ATM & POS manufacturer infected with Ransomware. SANS & CEH certified team couldn’t prevent it

Any company can become a victim of a cybersecurity incident. According to experts in a hacking course, Diebold Nixdorf, a provider of ATMs and payment technology for banks and retail stores, suffered a recent ransomware infection that disrupted some of its operations. In a report, the company claims that threat actors did not access their ATMs or customer networks, as the attack was limited to their corporate networks.

Diebold is one of the most important companies in the ATM market, covering approximately 35% of global demand. It currently has about 35,000 employees and also manufactures solutions such as point-of-sale and multi-store software.

According to the hacking course experts, the incident occurred on the night of April 25, when the company’s IT team detected signs of anomalous activity on its corporate network. The company’s staff immediately isolated the affected systems to prevent the spread of the ransomware.

A source close to the incident revealed that the measures implemented by the company halted the infection progress, although the operations of about 100 of Diebold’s customers were affected by the disruption of a service request automation system.

After the incident response process, the company initiated an investigation that concluded that threat actors used the PorLock ransomware, a rare but increasingly popular variant. Also known as PwndLocker, this variant has been identified in various attacks on the IT infrastructure of some counties in the U.S. Hacking course experts claim that its creators relaunched the malware under another name after a tool was released to remove PwndLocker encryption.

Apparently, the company has refused to negotiate with threat actors, so they will need to restore the services affected by their own methods. Considering previous attacks associated with these hackers, the ransom amount demanded is believed to range from $170 to $600,000, although Diebold did not confirm an exact figure.

According to the International Institute for Cyber Security (IICS), multiple cyberattacks occur on weekends, as threat actors hope that at that time companies do not have the necessary personnel to deal with an intrusion. Experts also mention that in addition to information encryption, more and more ransomware groups are turning to exposing sensitive information as a way to put pressure on affected companies and force them to pay the ransom.