Skip to main content

'Ripper' Malware Spews Cash from Super-Secure ATMs

If you use a credit or debit card issued in the past year, there's a good chance it has a small gold square chip on the front. This chip, known as an EMV (Europay, MasterCard and Visa) chip, helps authenticate your purchases and withdrawals, and cards using them are far more secure than those using only old-fashioned magnetic stripes.

EMV chips generally keep monetary transactions safe, but like any security measure, the technology is open to abuse. Researchers recently discovered a piece of malware that spreads via EMV chips and is most likely responsible for a rash of costly ATM thefts in Thailand, and possibly Taiwan, over the past two months.

An ATM in Thailand. Credit: Wikimedia Commons/Public domain

(Image credit: An ATM in Thailand. Credit: Wikimedia Commons/Public domain)

FireEye, a Milpitas, California-based security firm, wrote a detailed blog post about the malware, which it named RIPPER — a shortened version of ATMRIPPER, which appears in some of the malware's internal files. The company discovered the software via malware-cataloguing site VirusTotal. While FireEye cannot prove that RIPPER was responsible for the recent ATM thefts in Thailand and Taiwan, the similarities are striking, and more than a little suggestive.

MORE: Best Antivirus Software and Apps

In case you haven't heard about ATM theft in Thailand, it's been a fairly substantial problem throughout July and August. Thieves have made off with about 12 million baht ($350,000) by physically infecting ATMs with malware, then disconnecting the machines from banking networks. This is exactly how RIPPER functions, and the timeline for the creation and usage of the malware fits as well.

Here's how RIPPER works: A thief inserts a fake ATM card into an ATM, with the malware contained within the EMV chip on the card. Using a Windows laptop, the thief can then manipulate the ATM to dispense cash without the usual authentication process -- a phenomenon that security researchers call "jackpotting." The brand of ATM targeted can dispense up to 40 bills at once.

The Bangkok Post said all the ATMs hit across Thailand were made by NCR and operated by a single bank, although FireEye's analysis suggests that RIPPER can target three different brands that are among the top ATM makers worldwide.

Following the jackpotting of the ATM, RIPPER erases all evidence of itself from the system. It's not clear whether RIPPER extracts money from the banks themselves or from individual user accounts, but in the Thai cases, the money was the banks and not tied to customer accounts. The Bangkok Post reported that the ATM thefts were similar to concurrent attacks taking place in Taiwan.

Based on surveillance footage, the Thai police suspect a gang of at least six Eastern European men. Given the amount of malware that originates in Eastern Europe, this would not be terribly shocking, but there's no shortage of ATM hacks from other sources, either. (How exactly the Thai police could differentiate Eastern Europeans from any other type of European ethnicity on security-camera footage would also be a topic of some interest.)

Whatever the case, if RIPPER is indeed behind the recent ATM hacks, Thai bankers can now theoretically start devising countermeasures for it. If not, Thai banks may be in for another rough few months. EMV chips are becoming pretty common in the U.S., and NCR is an American company; it's not impossible that a RIPPER variant could make its way westward soon.