Easy live cash and ATM-targeting malware remain lucrative ways for criminals to get money in Europe, said Olga Osipova, senior application security specialist at Kaspersky. “Attacks on ATMs are viral and profitable, providing “live” cash directly. The dark web frequently features advertisements for malware or special devices designed to extract money from various ATMs. These announcements often precede waves of attacks on banks in different countries. Over the years, popular software methods for extracting money from ATMs have included Tyupkin, Cutlet Maker, Skimer, and others. For example, in 2015-2016, the Black Box method gained particular popularity,” said Osipova.

>>>Click here to read more about cybersecurity

According to Kaspersky specialist, regarding the current announcement about EU ATM Malware, considering its claimed cross-platform functionality, it can be assumed that the malware is based on XFS, a standard providing a common API for managing various internal ATM modules, regardless of the manufacturer.

“Over the years of analyzing ATM security, we have developed several tools to test the possibility of cash extraction from ATMs. The first was written over 10 years ago when most ATMs ran on Windows XP. With minor modifications, this tool still runs on the latest OS versions, independent of the platform (NCR, Diebold, GRG, Hyosung, etc.). Using the features of the XFS standard allows us to demonstrate vulnerabilities and flaws in ATMs, leading to their emptying. Cash dispensing can be fully automated until all money is extracted, except for the physical action of removing the stack of banknotes from the ATM,” said Osipova.

Are ATMs in Europe simpler to hack than the rest of the world?

In the announcement, the seller claims 99% effectiveness on European ATMs and up to 60% on ATMs in other countries, indirectly suggesting that the malware was tuned explicitly for European devices, clarify Osipova.

According to the Kaspersky specialist, this does not mean that ATMs outside Europe are safe. “It is important to remember that in addition to software methods of unauthorized cash dispensing, there are also hardware methods. Unfortunately, during every security analysis we conduct, even in 2024, we find at least one attack method in each ATM that allows for full cash extraction,” she reinforces.

Osopova adds that various payment methods for the malware (subscription, demo version) indicate organized and well-prepared developers, potentially increasing its spread. Different operating modes allow the malware to be adapted to specific attack goals and conditions.

“Proper attention to the security of financial devices, regular penetration testing, ATM security assessment, and timely implementation of compensatory measures when vulnerabilities are found help reduce the risk of ATM attacks and minimize financial and reputational losses. Monitoring “underground” activities targeting a bank or industry can be achieved through cyber intelligence services,” finalizes the specialist.