Diebold Nixdorf Hit by ProLock Ransomware Attack in April Diebold Nixdorf, the largest ATM provider in the U.S. and a major global player with over a third of the worldwide market, confirmed a ransomware attack in April that disrupted its corporate operations. The company disclosed the incident this week, stating that customer networks remained unaffected and that the attack had been contained. Security researcher Brian Krebs reported that the attackers deployed ProLock ransomware, a successor to the PwndLocker kit. ProLock encrypts files by appending malicious executables, sometimes layering them to complicate recovery. Victims are directed to a Tor-based payment portal via a ransom note, with demands averaging 60 BTC (approximately $570,000) in early April. Diebold Nixdorf confirmed it did not pay the ransom. The company detected the infection in late April and stated that the malware’s spread had been halted. Leadership reportedly contacted customers directly to inform them of the breach and mitigation efforts. While ransomware attacks often promise decryption tools upon payment, many victims never receive them, leaving data permanently inaccessible.

Independent researcher Matt Burch disclosed vulnerabilities in Diebold Nixdorf's ATM security solution, Vynamic Security Suite (VSS), during the Defcon security conference. The findings showed potential for attackers to circumvent hard drive encryption and gain full control over the machines if the patches are not applied, posing significant risks of financial data breach and unauthorized cash withdrawals. The unencrypted Linux partition used in the dual-boot configuration of the ATMs exacerbated the issue, allowing the exploitation path. Although Diebold has patched the issues, Burch suggested that patches might not be consistently deployed across all ATMs.

Diebold Nixdorf admitted a cyber attack on a service provider in a letter to customers, this provided optimization data for cash distribution to the ATMs. It is uncertain who was responsible for the attack on servers and other components at the data center utilized by the service provider Planfocus. Aside from not being impacted, neither customer data nor statistics data have been lost as of this writing, as far as is known. A service provider's data center, which houses the CCO systems, was the target of the attack. Only the attack, not the cash supply itself, could have put the optimization in jeopardy.