Pakistan cybersecurity agency and payment operator dismiss 'ransomware attack' rumours

Copyright © AFP 2017-2025. Any commercial use of this content requires a subscription. Click here to find out more.

Pakistan's ATMs were not affected by a "massive ransomware attack", the country's largest payments operator and the government cybersecurity agency said after social media posts falsely claimed the purported attack would shut cash machines for up to three days. The false posts circulated as internet speeds have taken a sharp dip in the South Asian country, but the cybersecurity agency said Pakistan's banking infrastructure, including ATMs, was functioning smoothly.

"ATM's will be close (sic) for next 2-3 days probably, due to ransomeware (sic) cyber-attack within Pakistan. Don't do any online transactions today," read part of a Facebook post shared on August 18, 2024.

The post falsely claimed the "massive ransomeware attack" had affected 74 countries. It also warned readers against opening a video called "Dance of the Hillary" on their mobile phones and opening any emails with the attachment "tasksche.exe". 

Attached to the post was a graphic of an MCB Islamic Bank cash machine with text that reads: "ATM Advisory".

Screenshot of the false Facebook post, captured on September 1, 2024

The false posts circulated as Pakistan faced an internet slowdown (archived link).

Since July, networks have been operating as much as 40 percent slower than normal, according to one IT association, with WhatsApp and VPN (virtual private network) connections severely disrupted.

Digital rights experts have suggested the government could be testing a firewall -- a security system that monitors network traffic but can also be used to control online spaces.

The government initially blamed the slowdown on a surge in VPNs, before the Pakistan Telecommunications Authority later faulted damage to underwater internet cables.

The same claim about cashpoints being closed due to a ransomware attack was shared on Facebook here and here, and on X here.

Pakistan's largest payments operator 1Link -- a consortium of major banks, including MCB -- and the government's cybersecurity agency both said the ATMs closure claim is false (archived link).

'No cyber threat observed'

In August, payments operator 1Link warned of "fake rumours" circulating online and advised the public "not to pay any attention to such hoaxes" (archived link).

It said: "A similar scare surfaced in 2017 during the 'Wannacry Ransomware,' cyber attack, which targeted Microsoft Windows machines, including those used by banks. However, the Pakistan banking sector successfully defended against those attacks in 2017."

"Thus far, no cyber threat has been observed on the ATM and online banking ecosystem in this context, and the financial service industry remains vigilant," it added.

A reverse image search of the graphic included in the false post led to the same graphic posted on the verified Facebook page of MCB Islamic Bank on August 28, 2022 (archived link).

At that time, the graphic featured in a post about precautions customers should take when using cashpoints, such as not sharing their PINs. 

Below is a screenshot comparison of the graphic used in the false post (left) and the graphic used in the MCB Islamic Bank post (right): 

Screenshot comparison of the graphic used in the false post (left) and the graphic used in the MCB Islamic Bank post (right)

Pakistani government agencies also described the ATMs shutdown claim as "fake".

The National Cyber Emergency Response Team of Pakistan issued a public warning on August 18, 2024, titled "Beware of Fake Rumors Circulating About ATM Closures and Online Banking" (archived link).

"The banking infrastructures including ATMs are functioning smoothly," it said, adding: "The public is strongly advised to disregard these false rumors and instead seek guidance directly from their respective banks or financial institutions."

The false posts had wrongly claimed the warning about the ATMs was announced on "BBC radio", but the web-based BBC Urdu service noted its last radio broadcast was on December 31, 2022 (archived link) and added that the BBC had not published any news about the purported shutting of cash machines or of a cyberattack.

The warning about opening the "Dance of the Hillary" video echoed other baseless malware claims previously debunked by AFP and fact-checking organisation Snopes (archived link).

There is some truth to the posts' warnings about not opening emails that include an attachment with "taskscehe.exe", however. According to Microsoft, that file could indicate a computer has been compromised by the WannaCry ransomware (archived link).

Pakistani media outlets Dawn and Dunya News have also debunked the false ATM closure claims (archived links here and here).

Is there content that you would like AFP to fact-check? Get in touch.

Contact us

Next article Previous article