Claim: A viral message warns Pakistani people against conducting any online transactions as ATMs will remain closed for the next two to three days after a ransomware cyberattack in the country. It advises people not to open a video clip called the “Dance of the Hillary,” which is a virus that wipes one’s mobile phone data, or emails containing attachments named “tasksche.exe”. It further says that BBC Radio made an announcement about the aforementioned warnings after 74 countries experienced a similar ransomware cyberattack.
Fact: The viral message circulating on social media and WhatsApp is an old hoax, dating back to at least 2015. Local payment systems operator 1LINK has confirmed that ATMs will not be closed in Pakistan and termed the text “false” and a “hoax”. Pakistan’s cyber emergency response team PKCERT has issued a similar advisory. The SBP has not issued any advisory, which it would if there actually was such a ransomware cyberattack.
On 18 August 2024, Soch Fact Check received a message marked “Forwarded many times” on WhatsApp, stating that Pakistan was subjected to a ransomware cyberattack and that automated teller machines (ATMs) would remain closed for two to three days.
The message also advised people against conducting online transactions and opening a video called “Dance of the Hillary” or emails with attachments named “tasksche.exe”. It alleged that BBC Radio had made the announcement after 74 countries experienced a similar attack.
The entire content of the viral message is as follows:
“ATM ‘s will be close for next 2-3 days probably, due to ransomeware cyber-attack within Pakistan. Don’t do any online transactions today. Please inform all contacts from your list not to open a video called the “Dance of the Hillary”. It is a virus that formats your mobile. Beware it is very dangerous. They announced it today on BBC radio. Kindly share Massive Ransomeware attack…Total 74 countries affected…Please do not open any email which has attachments with “tasksche.exe” file. Please send this important message to all your computer users”
Since the message mentioned “next 2-3 days” and not a specific time, many people who fall victim to it are left believing the ATM closure may occur two to three days from the time they received the text. This phrasing allows the message to get recycled from time to time.
Fact or Fiction?
Soch Fact Check first checked the website of the State Bank of Pakistan (SBP) as it would normally provide updates or advisories if ATMs nationwide were at risk of a cyberattack. However, we did not find anything relevant and there is no information on the central bank’s social media accounts either.
The SBP did not provide a comment despite multiple requests via email and phone calls to its spokesperson’s office.
If a ransomware cyberattack were to happen, it would be reported not just by local media outlets but international ones as well.
On the contrary, Soch Fact Check found a statement issued on 18 August 2024 by Pakistan’s primary payment systems operator/provider (PSO/PSP), 1LINK (Pvt) Limited, which termed the claim a “false message” and “hoax”.
It said, “This is to inform [the] general public and allay the fears created by a false message being circulated on different WhatsApp groups and social media platforms, warning people to avoid using ATMs and Online Banking in Pakistan. A similar scare surfaced in 2017 during the ‘Wannacry Ransomware,’ cyber attack, which targeted Microsoft Windows machines, including those used by banks. However, the Pakistan banking sector successfully defended against those attacks in 2017. The public is advised not to pay any attention to such hoaxes and to consult their banks for any guidance.”
“Thus far, no cyber threat has been observed on the ATM and online banking ecosystem in this context, and the financial service industry remains vigilant as ever before,” 1LINK added.
The National Cyber Emergency Response Team of Pakistan (PKCERT) also issued an advisory, which can be read in full here, stating that the viral messages are “false rumors”.
After consulting with the SBP and all relevant stakeholders, the PKCERT said “no such incident has so far been reported and the banking infrastructures including ATMs are functioning smoothly” and that its advisory “aims to clarify these concerns and prevent unnecessary panic”.
It urged people to report any suspicious activity or potential scam to the bank, as well as PKCERT, through this form.
We also came across a clarification issued on 24 August 2024 by the Pakistan Telecommunication Authority (PTA) — in English and Urdu — in which the body said there was “fake news circulating in the media about potential closure of ATMs” but that “currently there is no such issue of non availability/ closure of LDI networks that may potentially impact IT or financial sector including ATM networks”.
“Please note that operations of the expired LDI licensees are not suspended or shutdown,” the PTA added.
The PTA’s clarification was in response to reports by multiple media outlets here, here, here, here, here, here, and here.
As for the “Dance of the Hillary” portion of the viral text, a Google search led us to multiple articles and posts debunking the claim, which appears to have been in circulation for years. Other versions of the hoax in the past included “Dance of the Pope,” “Sonia Disowns Rahul,” “Martinelli,” and “Dance of the Dad,” which have been debunked by Snopes, BOOM Live, Ici Radio-Canada, Teyit, and Full Fact, respectively.
Moreover, the viral message cites “BBC radio” as the source of its information but we did not find any evidence that the British public service broadcaster ever made such an announcement. BBC Urdu clarified (archive) in an article that the attribution is false as BBC Urdu Radio’s last broadcast was on 31 December 2022. “The BBC has not broadcast any news about ATM machines being shut down in Pakistan or any cyber attack for the past several days,” it wrote.
Soch Fact Check has reached out to the BBC’s press office for a comment and will update this article if and when we receive a response.
With regard to the warning against opening the “tasksche.exe” attachment, we found that the file named as such is relevant to WannaCry, a ransomware attack that occurred around the world in May 2017, using a cryptoworm and impacting over 200,000 computers. Ransomware is a malicious software that forces its victim to pay a ransom in order to resume access to their own files that get locked during an attack.
The “tasksche.exe” file results in malicious activity and its threats include ransomware and WannaCry, according to different sandbox services, including ANY.RUN and Joe Sandbox Cloud. A sandbox is an environment available on “an isolated virtual machine in which potentially unsafe software code can execute without affecting network resources or local applications”, wrote Proofpoint, Inc., an American enterprise cybersecurity company.
In a 12 May 2017 blog, Microsoft Security said it detected WannaCry — which is also known as WannaCrypt, WanaCrypt0r, WCrypt, and WCRY — the same day and that it “targets out-of-date systems”. The ransomware “has worm capabilities” and “can stop you from using your PC or accessing your data”, the article added, sharing a guide for customers to defend themselves against such an attack.
Microsoft Security noted that “computers that have not applied the patch for these vulnerabilities” were affected by WannaCry and advised users to install it right away. The vulnerability that the ransomware exploited was “fixed in security bulletin MS17-010, which was released on March 14, 2017”, it added.
McAfee stated in a 12 May 2017 blog that an infected “system will spread the ransomware to all vulnerable Windows systems not patched for MS17-010”.
In a WannaCry profile published on 23 May 2017 by Google Cloud Platform (GCP), the filetype of “tasksche.exe” is said to be “Loader” and its size is 3.5 MBs.
On 20 May 2018, Rafay Baloch, a Pakistani ethical hacker and cyber security expert, had announced that the same message is actually a “hoax”. He wrote, “Guys this is hoax, this is no such virus called ‘Dance of the Hillary’ and there is no such thing announced on BBC Radio.”
Professor Brian J Ford, an author and scientist, also wrote a similar message in a 17 October 2017 LinkedIn post. “There is a new warning going around today: it is a hoax,” he said, adding, “There was no such announcement. There is no such virus.”
Soch Fact Check, therefore, concludes that the claim in the viral WhatsApp message is false and has been circulating since at least 2015.
Virality
Soch Fact Check found the claim published here, here, here, here, here, and here on Facebook.
We also found the same claim circulating here on TikTok, and here, here, here, here, here, and here on X (erstwhile Twitter).
Conclusion: The viral message circulating on social media and WhatsApp is an old hoax, dating back to at least 2015. Local payment systems operator 1LINK has confirmed that ATMs will not be closed in Pakistan and termed the text “false” and a “hoax”. Pakistan’s cyber emergency response team PKCERT has issued a similar advisory. Moreover, the SBP has not issued any advisory, which it would if there actually was such a ransomware cyberattack.
Background image in cover photo: Nick Pampoukidis
To appeal against our fact-check, please send an email to appeals@sochfactcheck.com