The only clue left behind was a note stating, ‘Take my money, bitch.’
It was like a complete movie scene where some hackers in Russia managed to drain a Russian bank of around eight ATMs with almost a million dollars of rubles in just a single night. The incident happened last year when the bank went through their surveillance cameras and found out the heist being captured on tape.
The Motherboard reported that the Russian bank was looted by a lone culprit who managed to grab a stack of bills worth $100,000 from each of their machines. The worst part — he did not even touch the machine.
The ATM machines were hacked with a malware, which spewed around 40 bills at a time and in less than 20 minutes, a single ATM machine was left dry before the culprit moved on to the next machine in the city for the same action. The entire incident was captured on camera, which the bank contacted the Russian cybersecurity firm Kaspersky Lab for an investigation. The only evidence was the CCTV recording.
The hackers method was a mystery as the bank found absolutely no trace of any malware on the ATMs or their backend networks. There were no signs of intrusion either. However, the only clue that was left behind was two log files that had a log of everything on the machine before the money disappeared. The logs included one line in English, stating ‘Take my money, bitch.’
"Our theory is that during the uninstall [of the malware], something went wrong with the malware and that's why the [log] files were left," says Sergey Golovanov, principal security researcher with Kaspersky in Russia, who investigated the heists, reported Motherboard.
Earlier this year too, Kaspersky reported that invisible ‘fileless’ attacks were used to target more than 140 banks in Europe.
‘Fileless malware attacks use the existing legitimate tools on a machine so that no malware gets installed on the system, or they use malware that resides only in the infected machine's random-access-memory, rather than on the hard drive, so that the malware leaves no discernible footprint once it's gone,’ reported Motherboard. The method was used to target two Russian banks that night.
‘The heist worked in three stages, with the first two using commands that instructed the ATM to withdraw the bills stored in cassettes and place them in line to be dispensed, and the third stage using a command that opened the mouth of the ATM. It was at this point that the command, "Take the money bitch," appeared in the log file, and possibly on the ATM's screen as well to signal the money mule to grab the bills and go,’ a security analyst from Kaspersky told Motherboard in an interview.
The log files left behind are obvious that the bank was hacked. However, researchers need samples of the ‘missing malware’ that were on the machines to analyse how the robbers pulled off the heist.
No arrests have been made in the heist yet. Kaspersky thinks the culprits might be connected to one of two previously known gangs of bank hackers, known as and Carbanak.