{
	"id": "bff1fab0-5d24-4082-a2ab-25f419d83378",
	"created_at": "2026-04-06T00:11:38.745736Z",
	"updated_at": "2026-04-10T03:21:24.603478Z",
	"deleted_at": null,
	"sha1_hash": "afe5f62f2dbf1a6745f66a8f16589d6f2152c265",
	"title": "A look at the ATM/PoS malware landscape from 2017-2019",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1251659,
	"plain_text": "A look at the ATM/PoS malware landscape from 2017-2019\r\nBy Kaspersky\r\nPublished: 2020-04-23 · Archived: 2026-04-05 20:12:33 UTC\r\nFrom remote administration and jackpotting, to malware sold on the Darknet, attacks against ATMs have a long\r\nand storied history.  And, much like other areas of cybercrime, attackers only refine and grow their skillset for\r\ninfecting ATM systems from year-to-year. So what does the ATM landscape look like as of 2020? Let’s take a\r\nlook.\r\nThe world of ATM/PoS malware\r\nATM attacks aren’t new, and that’s not surprising. After all, what is one of the primary motives driving cyber\r\ncriminals? Money. And ATMs are cash hubs—one successful attack can net you hundreds of thousands of dollars.\r\nIn the past, even high-profile threat actors have made ATMs their prime target.\r\nHowever, attacking ATMs is a bit different from traditional financial-related threats, like phishing emails or\r\nspoofed websites. That’s because ATMs operate in a unique space in the tech world: they’re still connected to the\r\ncorporate networks but at the same time must be accessible to anyone that passes by. The resulting technical\r\ndifferences means the attack methods differ from those used for traditional endpoints.\r\nATMs also share several common characteristics that make them particularly vulnerable to attacks:\r\nTraditional software that is part of the warranty offered by the vendors → If major changes occur that are\r\nnot approved by the ATM vendor, including installing AV software, then sometimes this warranty is lost.\r\nRegular use of outdated operating systems and the apps its runs on\r\nLocations chosen in a way that provide access to as many customers as possible, including those in remote\r\nregions → These isolated locations often lack any reasonable physical security\r\nOld software means unpatched vulnerabilities—ones criminals can exploit—and isolated areas makes it easier for\r\ncriminals to gain physical access to the internal ports of the motherboard. This is especially typical for the old\r\nATM machines located in many regions with low resources and no budgets for ATM upgrades.  When combined,\r\nATMs become not only a highly profitable target—but an easy one.\r\nFrom 2017 to 2019, there has been a marked increase in ATM attacks, due to a few families being particularly\r\nactive. These target systems around the globe, regardless of the vendor, and have one of two goals: either stealing\r\ncustomers’ information or funneling funds directly from the bank.\r\nConsidering all of the above, we decided to delve further into what has been happening in the world of ATM/PoS\r\nmalware for the last few years.\r\nATM/PoS malware attacks: by the numbers\r\nhttps://securelist.com/atm-pos-malware-landscape-2017-2019/96750/\r\nPage 1 of 8\n\nTo gain a closer look at ATM malware worldwide, we utilized the statistics processed by Kaspersky Security\r\nNetwork (KSN) over the course of the past three years globally.\r\nNumber of unique devices that encountered ATM/PoS malware, 2017-2019 (download)\r\nThe results showed that the number of unique devices protected by Kaspersky that encountered ATM/PoS (point-of-sale) malware at least once experienced a two-digit growth in 2018—and this number held steady, even\r\nincreasing slightly, in 2019.\r\nhttps://securelist.com/atm-pos-malware-landscape-2017-2019/96750/\r\nPage 2 of 8\n\nGeography of unique devices that encountered ATM/PoS malware, 2017 (download)\r\nTOP 10 countries by number of unique devices that encountered ATM/PoS malware in 2017\r\nCountry Devices\r\n1 Russian Federation 1016\r\n2 Brazil 423\r\n3 Vietnam 281\r\n4 United States 148\r\n5 India 137\r\n6 Turkey 96\r\n7 China 94\r\n8 Germany 58\r\nhttps://securelist.com/atm-pos-malware-landscape-2017-2019/96750/\r\nPage 3 of 8\n\n9 Philippines 53\r\n10 Mexico 51\r\nThe ten countries that had the greatest number of unique devices affected by ATM/POS malware were relatively\r\ndispersed around the globe, with the highest number in Russia. Russia has had a long history of threat actors\r\ntargeting financial institutions. For example, it was in 2017 that Kaspersky researchers  uncovered an ATM\r\nmalware dubbed “ATMitch” that was gaining remote access control over ATMS at Russian banks. In addition, the\r\nrelatively high rates in both Brazil and Mexico can be partially attributed to Latin and South America’s\r\nlongstanding history as a hotspot of ATM malware.\r\nGeography of unique devices that encountered ATM/PoS malware, 2018 (download)\r\nTOP 10 countries by number of unique devices that encountered ATM/PoS malware in 2018\r\nCountry Devices\r\n1 Russian Federation 1370\r\n2 Brazil 753\r\nhttps://securelist.com/atm-pos-malware-landscape-2017-2019/96750/\r\nPage 4 of 8\n\n3 Italy 537\r\n4 United States 519\r\n5 Vietnam 433\r\n6 India 408\r\n7 Thailand 369\r\n8 Germany 277\r\n9 Turkey 224\r\n10 Iran 198\r\nIn 2018, the countries with the greatest number of ATM/PoS malware incidents recorded by unique devices\r\nremained distributed worldwide, but the countries remained similar to 2017, with the highest activity recorded in\r\nRussia and Brazil.\r\nThe overall increase in the number of devices affected can be attributed to both the reappearance of new ATM\r\nmalware and the development of new families:\r\nATMJackpot first appeared in Taiwan back in 2016. It infects the banks’ internal networks, allowing it to\r\nwithdraw funds directly from the ATM. ATMJackpot was able to reach thousands of ATMs.\r\nWinPot was discovered at the beginning of 2018 in Eastern Europe and was designed to make the infected\r\nATM automatically dispense all cash from its most valuable cassettes. Because of its time counter, its\r\nexecution is time-dependent: if the targeted system’s time does not fall within the preset period during\r\nwhich the malware was programmed to work (e.g. March), WinPot silently stops operating without\r\nshowing its interface.\r\nIce5 originated in Latin America. Its engineering tool is written in a scripting language that allows the\r\nattackers to achieve a significant level of manipulation over the infected ATMs. The initial infection occurs\r\nvia the USB port.\r\nATMTest is a multi-stage infection in 2018. It requires console access to the ATM, meaning the attackers\r\nhave to gain remote access to the bank’s networks. This malware was originally coded to steal money in\r\nrubles.\r\nPeralta was an evolution of the infamous ATM malware project called Ploutus, which led to losses of\r\n$64,864,864.00 across 73,258 compromised ATMs. Both Peralta and Ploutus originated in Latin America.\r\nATMWizX was discovered in the fall of 2018 and dispenses all cash automatically, starting with the most\r\nvaluable cassettes.\r\nATMDtruck also appeared in the fall of 2018 with indications that the first victims were in India. It\r\ncollects enough information from the credit cards inputted into the infected ATM that it can actually clone\r\nthem. It drops the malware “Dtrack”, which is a sophisticated spy tool.\r\nhttps://securelist.com/atm-pos-malware-landscape-2017-2019/96750/\r\nPage 5 of 8\n\nGeography of unique devices that encountered ATM/PoS malware, 2019 (download)\r\nTOP 10 countries by number of unique devices that encountered ATM/PoS malware in 2019\r\nCountry Devices\r\n1 Russian Federation 2306\r\n2 Iran 1178\r\n3 Brazil 819\r\n4 Vietnam 416\r\n5 India 353\r\n6 Germany 228\r\n7 United States 220\r\n8 Italy 197\r\nhttps://securelist.com/atm-pos-malware-landscape-2017-2019/96750/\r\nPage 6 of 8\n\n9 Turkey 149\r\n10 Mexico 114\r\nThis past year, the ten countries with the highest level of ATM/PoS malware activity remained the same, with only\r\none change: Mexico once again entered the top ten, while Thailand left.\r\nOverall, the total number of devices affected increased once again. In fact, ATM/PoS malware activity reached\r\nnew levels by the spring of 2019 with a string of operations: ATMqot, ATMqotX, and ATMJaDi. ATMgot operates\r\ndirectly on the ATM using the dispenser to withdraw the maximum number of banknotes allowed; if it cannot do\r\nthis, it will default to 20 notes. This malware also possesses anti-forensic techniques that allow it to delete traces\r\nof the infection from the ATMs, as well as some video files, which could potentially be used as part of video\r\nmonitoring.\r\nATMJadi orginated in Latin America and is capable of cashing out ATMs. Since it’s a Java-based project, it’s\r\nplatform-dependent—and thus highly targeted. In order to be installed, the attackers must gain access to the bank’s\r\nnetwork. This suggests the attackers first compromise the bank’s infrastructure. But what’s perhaps most\r\ninteresting is the false flag section with strings in the Russian language.\r\nThe problem of cyberattacks is compounded by the use of outdated and unpatched systems. That means that, even\r\nas new 2019 malware families were developed, the old ATM families from the previous years can still be used to\r\nlaunch successful attacks.\r\nA look towards the future\r\nATM/PoS malware will only continue to evolve, and so, we will continue to monitor the ecosystem closely. We’ve\r\nalready seen WinPot, first discovered in 2018, active this year in different parts of the world.\r\nLatin America has long been known as a region of innovative cybercriminals who adopt techniques other region\r\nuses. It’s not surprising then that a new trend was recently discovered in development: an ATM MaaS project\r\nwhereby a group in Latin America is attempting to sell ATM malware developed for each major vendor on the\r\nmarket. Projects like these provide further evidence that the world of ATM malware is still evolving, with\r\ncybercriminals continuously developing better attack strategies.\r\nOur research has also shown that, beyond Latin America, countries in Europe and the APAC region are of\r\nparticular interest to ATM attackers, as is the United States. This signifies that ATM malware is a truly global\r\nthreat. After all, ATMs are located in nearly every country and few systems offer access to such massive amounts\r\nof fund.\r\nHow, then, can you protect your money? No matter how digital banking has become, ATMs are still an inevitable\r\npart of managing your funds. While you can’t control whether or not an ATM machine is attacked, by\r\nconscientiously monitoring your accounts and financial transactions, you can make sure suspicious activity is\r\nquickly identified and the proper channels duly notified. This should help mitigate the damage caused by any\r\nattack.\r\nhttps://securelist.com/atm-pos-malware-landscape-2017-2019/96750/\r\nPage 7 of 8\n\nFor financial institutions, staying secure requires a comprehensive, multi-step approach:\r\n1. 1 Evaluate which attack vectors are more likely to be used and generate a threat model. This will depend,\r\nfor example, on what network architecture is in place and where the ATM is installed – a place not\r\ncontrolled by your organization, such as a wall on the street, or an office under video surveillance, etc.\r\n2. 2 Determine which ATMs are outdated or have an OS version that’s reaching the end of its vendor\r\nsupport. If you cannot replace the legacy devices, pay attention to this fact in your threat model and set the\r\nappropriate security solution settings, which do not affect the device’s productivity.\r\n3. 3 Regularly conduct security assessments or pentests of ATMs to find possible cyberattack vectors.\r\nKaspersky’s threat hunting service can also help you find sophisticated cybercriminals.\r\n4. 4 Regularly review the physical safety of ATMs to detect abnormal elements implemented by attackers.\r\n5. 5 If ATM configurations permit it, install a security solution that protects the devices from different attack\r\nvectors, such as Kaspersky Embedded Systems Security. If the device has extremely low system specs, the\r\nKaspersky solution would still protect it with a Default Deny allowlisting scenario\r\nPoS terminals are in many aspects similar to ATMs, but still possess a number of differences to be mindful of—\r\nand tackled accordingly. Apart from the steps mentioned above (which remain applicable), the following must be\r\ntaken into account:\r\n1. 1 Often more powerful when compared to an average ATM, Windows-based PoS terminals offer greater\r\nspaces for attackers’ maneuvering and are capable of running a broad range of modern malware and\r\nhacking tools. This makes implementation of multi-layered protection a must.\r\n2. 2 While also residing in public spaces, they generally lack ATMs’ heavy armor. Therefore, they are more\r\nsusceptible to direct attacks using unauthorized devices. This makes properly configured Device Control\r\neven more valuable.\r\n3. 3 As they are frequently involved not only in financial, but also personal, data processing, this adds to their\r\nattractiveness for cyberattacks and also subjects them to more legislation. In combination with direct attack\r\nscenarios, implementation of file integrity monitoring and log inspection are mandatory, preferably in a\r\nway that allows tracking changes offline.\r\n4. 4 Embedded systems should be protected not only by host-based security, but also by application of\r\nnetwork-level security, such as Secure Web Gateways or Next-gen Firewalls capable of detecting and\r\nblocking unsolicited communications and other systems both inside and outside of the company’s\r\ninfrastructure.\r\nSource: https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/\r\nhttps://securelist.com/atm-pos-malware-landscape-2017-2019/96750/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/"
	],
	"report_names": [
		"96750"
	],
	"threat_actors": [],
	"ts_created_at": 1775434298,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/afe5f62f2dbf1a6745f66a8f16589d6f2152c265.pdf",
		"text": "https://archive.orkl.eu/afe5f62f2dbf1a6745f66a8f16589d6f2152c265.txt",
		"img": "https://archive.orkl.eu/afe5f62f2dbf1a6745f66a8f16589d6f2152c265.jpg"
	}
}