{
	"id": "0914a26c-0e78-4851-9b91-d9845636ad98",
	"created_at": "2026-04-06T00:14:49.246043Z",
	"updated_at": "2026-04-10T13:11:47.948422Z",
	"deleted_at": null,
	"sha1_hash": "0fa4f85d7939ceb43b0020b225059867a16e0a6b",
	"title": "Ransomware Hit ATM Giant Diebold Nixdorf",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79960,
	"plain_text": "Ransomware Hit ATM Giant Diebold Nixdorf\r\nPublished: 2020-05-11 · Archived: 2026-04-05 18:21:07 UTC\r\nDiebold Nixdorf, a major provider of automatic teller machines (ATMs) and payment technology to banks and\r\nretailers, recently suffered a ransomware attack that disrupted some operations. The company says the hackers\r\nnever touched its ATMs or customer networks, and that the intrusion only affected its corporate network.\r\nCanton, Ohio-based Diebold [NYSE: DBD] is currently the largest\r\nATM provider in the United States, with an estimated 35 percent of the cash machine market worldwide. The\r\n35,000-employee company also produces point-of-sale systems and software used by many retailers.\r\nAccording to Diebold, on the evening of Saturday, April 25, the company’s security team discovered anomalous\r\nbehavior on its corporate network. Suspecting a ransomware attack, Diebold said it immediately began\r\ndisconnecting systems on that network to contain the spread of the malware.\r\nSources told KrebsOnSecurity that Diebold’s response affected services for over 100 of the company’s customers.\r\nDiebold said the company’s response to the attack did disrupt a system that automates field service technician\r\nrequests, but that the incident did not affect customer networks or the general public.\r\n“Diebold has determined that the spread of the malware has been contained,” Diebold said in a written statement\r\nprovided to KrebsOnSecurity. “The incident did not affect ATMs, customer networks, or the general public, and its\r\nimpact was not material to our business. Unfortunately, cybercrime is an ongoing challenge for all companies.\r\nDiebold Nixdorf takes the security of our systems and customer service very seriously. Our leadership has\r\nconnected personally with customers to make them aware of the situation and how we addressed it.”\r\nNOT SO PRO LOCK\r\nAn investigation determined that the intruders installed the ProLock ransomware, which experts say is a relatively\r\nuncommon ransomware strain that has gone through multiple names and iterations over the past few months.\r\nFor example, until recently ProLock was better known as “PwndLocker,” which is the name of the ransomware\r\nthat infected servers at Lasalle County, Ill. in March. But the miscreants behind PwndLocker rebranded their\r\nmalware after security experts at Emsisoft released a tool that let PwndLocker victims decrypt their files without\r\npaying the ransom.\r\nDiebold claims it did not pay the ransom demanded by the attackers, although the company wouldn’t discuss the\r\namount requested. But Lawrence Abrams of BleepingComputer said the ransom demanded for ProLock victims\r\nhttps://krebsonsecurity.com/2020/05/ransomware-hit-atm-giant-diebold-nixdorf/\r\nPage 1 of 2\n\ntypically ranges in the six figures, from $175,000 to more than $660,000 depending on the size of the victim\r\nnetwork.\r\nFabian Wosar, Emsisoft’s chief technology officer, said if Diebold’s claims about not paying their assailants are\r\ntrue, it’s probably for the best: That’s because current versions of ProLock’s decryptor tool will corrupt larger files\r\nsuch as database files.\r\nAs luck would have it, Emsisoft does offer a tool that fixes the decryptor so that it properly recovers files held\r\nhostage by ProLock, but it only works for victims who have already paid a ransom to the crooks behind ProLock.\r\n“We do have a tool that fixes a bug in the decryptor, but it doesn’t work unless you have the decryption keys from\r\nthe ransomware authors,” Wosar said.\r\nWEEKEND WARRIORS\r\nBleepingComputer’s Abrams said the timing of the attack on Diebold — Saturday evening — is quite common,\r\nand that ransomware purveyors tend to wait until the weekends to launch their attacks because that is typically\r\nwhen most organizations have the fewest number of technical staff on hand. Incidentally, weekends also are the\r\ntime when the vast majority of ATM skimming attacks take place — for the same reason.\r\n“After hours on Friday and Saturday nights are big, because they want to pull the trigger [on the ransomware]\r\nwhen no one is around,” Abrams said.\r\nMany ransomware gangs have taken to stealing sensitive data from victims before launching the ransomware, as a\r\nsort of virtual cudgel to use against victims who don’t immediately acquiesce to a ransom demand.\r\nArmed with the victim’s data — or data about the victim company’s partners or customers — the attackers can\r\nthen threaten to publish or sell the information if victims refuse to pay up. Indeed, some of the larger ransomware\r\ngroups are doing just that, constantly updating blogs on the Internet and the dark Web that publish the names and\r\ndata stolen from victims who decline to pay.\r\nSo far, the crooks behind ProLock haven’t launched their own blog. But Abrams said the crime group behind it\r\nhas indicated it is at least heading in that direction, noting that in his communications with the group in the wake\r\nof the Lasalle County attack they sent him an image and a list of folders suggesting they’d accessed sensitive data\r\nfor that victim.\r\n“I’ve been saying this ever since last year when the Maze ransomware group started publishing the names and\r\ndata from their victims: Every ransomware attack has to be treated as a data breach now,” Abrams said.\r\nSource: https://krebsonsecurity.com/2020/05/ransomware-hit-atm-giant-diebold-nixdorf/\r\nhttps://krebsonsecurity.com/2020/05/ransomware-hit-atm-giant-diebold-nixdorf/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2020/05/ransomware-hit-atm-giant-diebold-nixdorf/"
	],
	"report_names": [
		"ransomware-hit-atm-giant-diebold-nixdorf"
	],
	"threat_actors": [],
	"ts_created_at": 1775434489,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0fa4f85d7939ceb43b0020b225059867a16e0a6b.pdf",
		"text": "https://archive.orkl.eu/0fa4f85d7939ceb43b0020b225059867a16e0a6b.txt",
		"img": "https://archive.orkl.eu/0fa4f85d7939ceb43b0020b225059867a16e0a6b.jpg"
	}
}