Empty ATMs: New ATM Trojan Hits Ukraine with Unique and Damaging Effects

We’ve heard of ATMs getting hacked so they spew out cash, but now there’s a new threat facing the money machines.

According to a report by SafenSoft, a Russian software security firm, ATMS in Ukraine were the victims of a cyber attack by a new ATM Trojan.

The ATMS belong to one of Ukraine’s largest banks and were all located in public access areas. The ATMS had been loaded with money on a Friday earlier this month, and were found completely empty the following Monday. The kicker? There were no signs of physical damage to the machines.

According to SafenSoft, the initial examination of the ATMs revealed no malicious code left behind. The report notes, “This large-scale action at the level of the whole country carried out over a single weekend followed by self-destruction of the malware used in (the) cyber attack is currently the largest of its kind.”

Though it is not made 100 percent clear in the report, SafenSoft seems to be blaming this attack on Ploutus, malicious code first detected in Mexico in September 2013.

According to SafenSoft, “Ploutus is aimed at ATMs and has the ability to withdraw cash directly from the device. Ploutus’s main feature is the ability to deactivate traditional protection systems installed and active in the system that is being infected, allowing attackers to install Ploutus even on the system with activated antivirus protection.”

In the past, carrying out ATM attacks was harder. It had to be done in several stages, meaning it was easier to detect and even stop attacks. The Ploutus Trojan simplifies the entire process, making it a breeze for hackers – and much harder to detect. If an attack is directed at the ATM software and doesn’t affect the company’s database, the attack will only be detected after it’s already happened and the hackers are long gone.

“We have witnessed an unprecedented level of cooperation among cybercriminals,” says Denis Gasilin, head of marketing at SafenSoft.

“Large-scale international attacks on the ATM network already happened in the past, but never before were cybercriminals able to carry out such an attack affecting only the ATM network itself and leaving no trace at all. The level of cooperation on the cybercriminal side is sadly on a higher level than that of the defending side, so reactive methods of information protection just don’t work. The only way to reliably defend against targeted attacks using the latest malicious code is to use proactive technologies,” says Gasilin.


For more information, see the SafenSoft report here: http://www.safensoft.com/archiv/n/819/1796