The financial tech giant Diebold Nixdorf has been infected by a relatively new ransomware known as ProLock. While customers were understandably worried about ATM and customer-connected networks, Diebold said that the infection only affected its corporate network. The company told Brian Krebs that their security team discovered unusual behavior on the evening of April 25th. Suspecting a ransomware infection, the team began disconnecting systems from the network immediately to limit the spread. Although the infection only spread within the corporate network, Diebold also told Krebs that their response to the infection did disrupt a system responsible for handling field service technician requests.
ProLock got its start in late 2019 as PwnedLocker, targeting larger businesses and local city governments to demand high ransom payments. Due to a flaw in the encryption implantation, Emsisoft was able to release a free decryptor for PwnedLocker. The rebrand from PwndLocker to ProLock was likely a move to keep the image of ransomware that is unrecoverable without the author or group’s help.
As always, Binary Defense never recommends paying the ransom. There is never a guarantee of getting files back, and some decryptors offered by the ransomware authors are known to have flaws that can corrupt files during recovery. With the recent data theft and extortion trend from some ransomware groups, all ransomware incidents should be treated as data breaches as well. The 3-2-1 method of backing up data is a great way to ensure no data is lost during a ransomware infection. Keep three copies of the data on two separate devices with one of the devices stored off-site. Organizations can also utilize services such as the Binary Defense Security Operations Center (SOC) for 24/7 monitoring to quickly detect, contain, and alert security teams to threats like this before they spread too far.