New Ripper ATM malware – 12 million THB stolen

A new malware by the name of Ripper could have been involved in an ATM scam in Thailand. The malware was discovered locally, and a sample was uploaded to the VirusTotal site. Researchers at FireEye have reported and named the Ripper virus (“ATMRIPPER” appeared in the source code of the project.) The hack resulted in a temporary shutdown of many ATMs in the country.

The Ripper of ATMs

FireEye discovered the malware on 23rd of August, 2016, when its entire code was uploaded to the VirusTotal site (a platform for checking malicious content.) The sample went live a few minutes before an article reporting the theft was uploaded onto the Bangkok Post website.
The Ripper malware bears a striking resemblance to the malware used in the ATM theft in Thailand. Both the VirusTotal Ripper malware sample and the ATM scam in Thailand have the following similarities:

  • The hackers need to access the ATM physically to distribute the malware
  • The timeframe of the development of the malware and the ATM attack fits
  • Both infect the same brand of ATMs
  • Both require an ATM with an EMV authentication chip

Ripper also has similarities from other ATM scamming software. It expels currency in the same way of the Padkin, SUCEFUL, and GreenDispenser malware. The ATM are also infected by inserting a special card into the machines, containing an EMV chip, similar to the Skimmer family of malware.
Ripper is the first malware which targets three of the biggest ATM vendors worldwide. The scammer siphoned money out of the ATM itself, not from the accounts. In other words, they robbed the bank, not the customers.

Table of Similarities Between Ripper and the Malware Used in Thailand:

Scale of the Scam and Suspects

The scammers managed to steal 12 million Thai Bahts, which is about $ 340 000. According to the Bangkok Post, the scam attacked the Government Savings Bank of Thailand. The theft was carried out in six provinces of the Asian country – Phuket, Surat Thani, Chumphon, Prachuap Khiri Khan, Phetchaburi, and Bangkok. The five suspected scammers are said to be from Eastern Europe, the gang has since fled the country. They’re also the main suspect in a similar heist in Taiwan back in July 2016. Interpol was notified of the hack; they are currently looking for the scammers along with the Thai police.

Cyber Bank Robbers

The bank robbers of our times aren’t wearing bandanas and wielding Tommy guns – they’ve replaced them with malware tools and microchips. It’s no wonder that Michael Mann’s last movie (Blackhat) was about hackers instead of his usual bank robbers and cops. Cybercrime mostly pays. The advanced digitizing of banks makes the service faster, cheaper and more convenient, but it also increases the threat of hacking. Just recently, a banking Trojan virus targeted major UK banks .

The crooks behind the ATM hackings in Thailand made a killing out of the theft, and they’re neither the first nor the last. Banks, firms, and customers need to think more about cyber-security. A good defense wall against cyber-attacks is just as important as a sturdy vault in the bank’s treasury.

Was this content helpful?


Author : Alex Dimchev

Alex Dimchev is a beat writer for Best Security Search. When he's not busy researching cyber-security matters, he enjoys sports and writing about himself in third person.

Leave a Reply

Your email address will not be published. Required fields are marked *