When people think “cyberattack,” they picture phishing emails, stolen passwords, or ransomware.
The FBI just reminded everyone that sometimes attackers skip your accounts entirely and go straight for the machine.
A new wave of attacks using Ploutus malware is hitting U.S. ATMs with a technique called “jackpotting”: criminals force an ATM to dispense cash without a card, without a customer account, and without bank authorization.
This isn’t “bank fraud.” It’s closer to device hijacking.
What Ploutus Does (in plain English)
ATMs rely on a software layer called XFS (eXtensions for Financial Services). That layer controls the hardware: cash dispenser, card reader, receipt printer, and more.
Ploutus abuses XFS by issuing its own commands directly to the ATM hardware.
No legit banking transaction is required. The ATM becomes a standalone cash machine under criminal control.
How Attackers Get It Installed
This part is the most frustrating because it’s not sophisticated. It’s practical.
In many cases, attackers:
-
Gain physical access to the ATM (sometimes using commonly available keys or by opening the machine)
-
Plug in USB devices (drives, keyboards, hubs)
-
Install malware directly, or even pull the hard drive, load it elsewhere, then reinstall it
The FBI also warns about misuse of remote-access tools (think: AnyDesk/TeamViewer-style access) as part of staging or controlling the attack.
Why This Matters to Small Businesses (not just banks)
You might be thinking: “Okay… but I don’t own an ATM.”
Here’s the lesson:
Attackers don’t always need to steal your logins. If they can control the device, they can control the outcome.
This is the same mindset behind:
-
POS terminal tampering
-
“Bad USB” attacks in offices
-
Rogue remote access
-
Unmonitored endpoints and unmanaged PCs
If your business has computers that:
-
accept external devices
-
run outdated Windows builds
-
have weak local admin controls
-
don’t have proper monitoring
…you’re already playing defense with one hand tied behind your back.
What You Can Do Right Now
Here are practical moves that translate directly from the FBI guidance into real-world business protection:
✅ Lock down endpoints
-
Application control / allow-listing where possible
-
Block unknown executables and scripts
✅ Control USB and removable media
-
Restrict USB storage devices
-
Log and alert on new device connections
✅ Harden access
-
Remove unnecessary local admin rights
-
Use strong MFA where possible
✅ Monitor the basics
-
Alerts for new processes, unusual services, unknown remote tools
-
Integrity checking and baseline comparisons for key systems
✅ Encrypt what matters
-
Full disk encryption reduces “pull the drive and copy tools” scenarios
The SpeakGeek Take
Most “cyber incidents” aren’t movie-hacker moments. They’re operational failures:
-
weak controls
-
weak visibility
-
weak follow-through
If you want to know where you stand, we can run a quick risk check and tell you what’s exposed, what’s outdated, and what’s actually worth fixing first.
SpeakGeek PCs
Local, practical cybersecurity that doesn’t waste your time.
