ATM Security WannaCry virus

June 21, 2017
Virus In Program Code

At Case Financial, we receive many questions regarding patching for ATMs. Whether it is in regards to protecting from potential viruses, patching in general, or what it means for you, Case is here to help.

NCR released the below information in regard to the WannaCry virus, but this can pertain to many of the hundreds of new threats released daily. Whether your financial institution has an in-depth, multi-layered security approach to network security, or if you have other substantial compensating controls in place, it’s important to remember that ATMs are a part of that overall approach.

There is a serious malware cyber threat called “WannaCry” that is impacting many organizations worldwide.

This type of threat is known as ransomware. It will encrypt the files on end-points running Microsoft operating system software, rendering them inaccessible. ATMs are at risk of this attack. Additionally, this malware attempts to infect other end-points on the same network. NCR has taken a number of steps to respond to this threat.

Who is at risk

Customers running any Windows OS who have not applied the Microsoft security patch MS17-010. For Windows 7 customers, NCR advised in March 2017 that this patch be deployed. Security updates for the range of Windows OS are available here.

Guidance and Recommendations for ATM endpoint security:

As preventative measures to protect our customers, we have worked with our security partner McAfee and Microsoft to understand the malware and identify mitigations. McAfee has informed us that when Solidcore for APTRA or Solidcore Suite for APTRA is enabled it will block any hash values that are not whitelisted. This will prevent this attack from being successful. Additionally, customers should install MS17-010 at their next scheduled patch deployment, after testing in their lab, as per PCI guidance.

Customers using an alternative anti-malware solution should contact their anti-malware vendor for guidance and also deploy the Microsoft security patch after testing in their lab. Customers who are not using any anti-malware solution must install the Microsoft patch immediately. The patch should be tested in a lab environment prior to deploying to a live ATM.

Deploying the Microsoft Security Patch

All Windows XP SP3 and Windows 7 SP1 ATMs should install the patch for MS17-010 as soon as possible. APTRA Vision’s inventory capabilities can be used to determine whether or not this this patch has been successfully deployed. All Financial Institutions can order/download the latest Microsoft Security updates (if not already done) from IPP/DLC/WOT to avoid any potential threats. Details below:

PID/ZPID : G534-7075-0000/ G534-7075-Z000
Release : 05.08.00
Title : Cumulative Microsoft Windows 7 Security Patches (April 2017)

The patch has been tested on the following SW products/versions:

  • Edge – 5.0
  • Edge – 7.0
  • AANDC – 04.01.20
  • AIT – 6.5.6
  • USN – 1.1.10
  • USN – 1.2.8

Note: If you have already installed MS Security Patches for March 2017, your ATMs are free of WannaCry logical attack but, NCR recommends to install the latest available to avoid any other vulnerabilities.

Guidance if end-point is infected

McAfee has updated their Stinger to detect this malware. If you are concerned about infection across your enterprise, then run Stinger to detect and delete this malware on end-points that have not yet been fully compromised.

McAfee Stinger is available here. Ensure you read the Stinger documentation prior to using this utility. This documents the range of OS supported by the utility. If any ATMs are infected/locked with the ransomware, then every other ATM and end-point on the same network must be checked for infection as well. Once the malware infects one end-point on the network it will replicate itself to other vulnerable systems. The only way to recover an infected and encrypted ATM is to reimage from scratch. There is NO other option. Ensure that the patch is installed as part of the reinstall.

With regards to any of these potential risks, Case Financial’s security strategy is designed to provide guidelines and solutions that will help minimize the risk of malware being loaded onto the ATM. The team at Case will evaluate your financial institutions’ current status and offer a security strategy to protect your ATM fleet from physical and logical threats. Contact us for more information.