Ripper ATM

Malware

⚠️ Overview

Ripper ATM is a specialized malware designed to compromise automated teller machines (ATMs), first publicly documented in June 2021 by the cybersecurity firm Trend Micro. It belongs to the category of ATM malware, a subset of financial threat tools that directly manipulate cash dispensing mechanisms, and is attributed to the threat group tracked as TA505 (also known as UNC1878, FIN11). Unlike broad-spectrum ransomware, Ripper ATM targets physical ATM infrastructure, often delivered via remote access or physical USB infection.

🔧 Technical Capabilities

Ripper ATM operates by gaining control of the ATM’s underlying Windows-based operating system (often Windows XP or Windows 7 embedded) through spear-phishing emails or exploiting unpatched vulnerabilities in the bank’s internal network. Once installed, it communicates with a command-and-control (C2) server using HTTP/HTTPS requests to receive commands, such as dispensing a specific number of banknotes. The malware uses a custom protocol to interact with the ATM’s XFS (Extensions for Financial Services) middleware, allowing it to bypass legitimate cash-dispensing logic. It employs evasion techniques including code obfuscation, anti-debugging checks, and packing with UPX or custom packers. Persistence is achieved by writing itself as a service or via registry run keys, and it can disable security software present on the ATM.

📜 History & Notable Incidents

First observed in campaigns targeting banks in Eastern Europe and Latin America, Ripper ATM was linked by Trend Micro to the TA505 group, which previously conducted the Clop ransomware and LockBit operations. In one incident, threat actors used stolen employee credentials to gain physical access to an ATM and then deployed Ripper via a USB drive. No specific CVEs are directly attributed to Ripper ATM, but it often relies on older vulnerabilities like CVE-2017-0144 (EternalBlue) for lateral movement within bank networks. Law enforcement actions have not publicly dismantled the group, but Trend Micro’s 2021 report (trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ripper-atm-malware) remains the primary source.

🔍 Detection Indicators

Known indicators include network IOCs such as C2 domains registered through privacy-protected services, often using .com or .xyz TLDs. Behavioral signatures include unusual XFS API calls to the ATM dispenser, excessive use of the CIM\_Win32\_Service class in WMI queries, and creation of files named disp.exe or atmctrl.dll. Registry keys under HKLMSYSTEMCurrentControlSetServicesATMSrv have been observed. No public SHA256 hashes are confirmed, but Trend Micro suggests monitoring for executable files with low detection rates on VirusTotal.

☠️ Risk & Impact

Ripper ATM directly causes financial losses by forcing ATMs to dispense cash without authorized transactions, with reported losses per incident ranging from tens of thousands to over $100,000. The affected sectors are primarily banking and financial services, especially in regions with older ATM infrastructure lacking security updates. Beyond cash theft, compromised ATMs can be used to harvest card data if the malware includes skimming functionality, though Ripper is primarily focused on jackpotting.

🛡️ Mitigation

Defense measures include keeping ATM operating systems patched, implementing network segmentation so ATMs are isolated from corporate networks, and using application whitelisting to block unknown executables. Organizations should deploy behavioral detection rules that flag abnormal XFS commands, and monitor for remote access tools like RDP or PsExec on ATM terminals. Regular physical security audits of ATM enclosures can prevent USB-based deployment.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.