Cyber Incident Victim: Diebold Nixdorf
Date:
Apr 2020
Location:
United States of America
Summary
A major ATM and payment technology provider experienced a ransomware attack targeting its corporate network, disrupting automated field service technician systems and impacting over 100 customers. The incident involved ProLock ransomware, a rebranded variant of PwndLocker, deployed during weekend hours to exploit reduced staffing. While the company contained the malware spread by disconnecting affected systems, the attack did not compromise ATMs, customer networks, or public-facing services. The attackers demanded a six-figure ransom, which the victim refused to pay. Although the ransomware operators suggested potential access to sensitive data, no confirmed data exfiltration or public leak occurred. Security researchers noted ProLock's decryption tool could corrupt large files unless modified with a specialized fix available only to paying victims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Diebold Nixdorf, a leading global provider of ATMs and payment systems, experienced a ransomware attack on its corporate network on April 25, 2020. The company’s security team detected anomalous activity that evening, prompting an immediate containment response involving the disconnection of affected systems to prevent malware spread. Investigation confirmed the attackers deployed ProLock ransomware, a strain previously known as PwndLocker, which had rebranded after security researchers released a decryption tool for its earlier version. Diebold asserted the incident did not compromise its ATM infrastructure, customer networks, or public-facing services, emphasizing that operational disruptions were confined to internal corporate systems. The company’s containment efforts temporarily disrupted an automated system managing field service technician requests, impacting services for over 100 customers. Diebold did not pay the ransom, which typically ranged from $175,000 to $660,000 for ProLock attacks, and stated the financial impact was not material to its business. Executives personally contacted affected customers to explain the situation and mitigation steps.
The attack occurred on a Saturday evening, a timing consistent with ransomware groups’ preference for weekends when organizational staffing is minimal. ProLock’s operators had not established a dedicated leak site to publish stolen data at the time of the incident, though evidence from prior attacks suggested they accessed sensitive victim files. Security researchers noted ProLock’s decryptor tool corrupted large files like databases, with a fix available only to victims who paid the ransom. Diebold maintained that no data exfiltration occurred, but experts highlighted the growing trend of ransomware actors stealing information to pressure victims into paying. The company completed containment measures, confirming the malware’s spread was halted, and reiterated its focus on system security and customer service integrity throughout the response. No further disruptions to ATM operations or retail point-of-sale systems were reported following the initial containment.