FBI Warns of Ploutus Malware Draining U.S. ATMs Without Cards
The Federal Bureau of Investigation (FBI) has issued an urgent alert regarding a surge in jackpotting attacks on Automated Teller Machines (ATMs) across the United States. These attacks involve the deployment of sophisticated malware, notably the Ploutus family, enabling criminals to dispense cash from ATMs without the need for physical bank cards or legitimate customer accounts.
In a FLASH alert dated February 19, 2026 (FLASH-20260219-001), the FBI highlighted the escalating threat posed by these malware-driven attacks. Since 2020, over 1,900 jackpotting incidents have been reported, with more than 700 occurring in 2025 alone, resulting in losses exceeding $20 million.
Understanding Ploutus Malware
Ploutus is a sophisticated malware strain that targets the eXtensions for Financial Services (XFS) middleware—a standard software layer used by ATMs to communicate with their hardware components. By exploiting vulnerabilities in the XFS layer, Ploutus allows attackers to issue unauthorized commands directly to the ATM’s cash dispenser, effectively bypassing the bank’s transaction authorization processes.
Modus Operandi of Attackers
The typical attack sequence involves several steps:
1. Physical Access: Attackers gain access to the ATM’s internal components, often using generic keys readily available in the market.
2. Malware Deployment: Once inside, they install the Ploutus malware. This can be achieved by:
– Removing the ATM’s hard drive, connecting it to an external device to upload the malware, and then reinstalling it.
– Swapping the existing hard drive with one preloaded with the malware.
– Connecting external devices, such as USB drives or keyboards, to introduce the malware.
3. Command Execution: With the malware in place, attackers can remotely command the ATM to dispense cash, often within minutes, without triggering standard security alerts.
Indicators of Compromise
Financial institutions and ATM operators should be vigilant for signs indicating a potential compromise:
– Unexpected Executables: Presence of unfamiliar files such as Newage.exe, NCRApp.exe, WinMonitor.exe, or sdelete.exe.
– Unauthorized Remote Tools: Detection of remote access software like AnyDesk or TeamViewer installed without authorization.
– Anomalous Registry Entries: New or modified registry entries, especially those related to startup processes, with generic names like ATM Service or Dispenser Service.
Recommended Mitigation Strategies
To counteract these threats, the FBI recommends the following measures:
– Enhanced Physical Security: Upgrade standard locks to more secure alternatives and install tamper-evident sensors.
– Surveillance: Ensure comprehensive camera coverage around ATMs to monitor and record any unauthorized access attempts.
– System Hardening: Implement disk encryption and establish hardware device whitelisting to prevent unauthorized devices from interfacing with the ATM.
– Regular Audits: Conduct routine checks to compare ATM software against a trusted baseline, ensuring no unauthorized changes have been made.
– Enhanced Logging: Enable detailed Windows auditing to monitor for specific events, such as USB device insertions, file modifications, process creations, and log clearings.
Reporting and Collaboration
Financial institutions are urged to report any suspected jackpotting incidents to their local FBI field office or through the Internet Crime Complaint Center (IC3). Collaboration between law enforcement and the financial sector is crucial to effectively combat this evolving threat.
Conclusion
The rise of Ploutus malware and similar threats underscores the need for a proactive and layered security approach to protect ATMs. By combining physical security enhancements, system hardening, vigilant monitoring, and prompt reporting, financial institutions can better defend against these sophisticated attacks and safeguard their assets and customer trust.
