Pakistan-Linked Cyber Attack Forcing Closure Of ATMs? Here’s The Truth Behind Viral Whatsapp Message

Claim

ATMs to be closed for two-three days owing to a ransomware cyber attack, originating from Pakistan. The posts also warn users against opening a video file called the “Dance of the Hillary” and an email attachment named ‘tasksche.exe’ as it is a virus that formats your mobile phones.

The archived version of the post can be seen here. We received this claim on our Whatsapp tipline (+91-9999499044), too, with users requesting us to fact-check it.

Fact

Newschecker ran a keyword search for “ATMs closed cyber-attack”, which led us to multiple media reports, seen here, here and here, stating that the viral Whatsapp message is fake and baseless. The reports directed us to PIB Fact Check’s post on May 9, 2025, debunking the message, calling it out as fake, while assuring citizens that ATMs will continue to operate as usual.

Also, State Bank of India (SBI), Canara Bank, Bank of Baroda, Indian Bank, and Punjab National Bank took to X on May 9, 2025, to refute the rumours, stating that there are no shutdowns and that their ATMs would remain functional.

Is There A ‘Dance Of The Hillary’ Virus?

Newschecker ran a keyword search for “Dance of the Hillary virus,” which led us to this The New Indian Express report, dated May 16, 2017, stating that a then viral Whatsapp message warning users against a “Dance of the Hillary” virus that formats your mobile, and claiming that it was announced on BBC radio, is a hoax.  Similar The Star and NewsMinute reports, dated May 16, 2017, state that the message is an old hoax.

A further search led us to this Snopes report, dated April 7, 2015, stating that in early April 2015, several false claims warning mobile phone users of a malware attachment known as the Dance of the Pope (later Dance of the Hillary) began to circulate. “No radio stations were linked to the purported announcement; no news outlets reported the story; none of the antivirus companies had heard of it; and, most tellingly, no one appeared to have experienced the virus on his own device. If the virus were real, many users would have encountered and unwittingly opened the attachment despite the circulating warning by now,” read the report.

We reached out to Karan Saini, a cybersecurity researcher, who said the exact message has been around since 2017. “While ransomware attacks are a real threat, and part of the advice offered in this hoax, i.e., to not open executable files received via email is reasonable, there is no basis in reality for the other claims made. This particular hoax message seems to have first surfaced in 2017, when ‘ransomware’ entered the common lexicon following the WannaCry attack,” said Saini.

We came across this X post, dated May 9, 2025, by Sunny Nehra, founder of cybersecurity company Secure Your Hacks, who also confirmed that the viral Whatsapp message is an old hoax being circulated again, while clarifying that ‘tasksche.exe’ is a known file indicator to all anti-virus companies and that it would easily get detected by any anti-virus software.

“…Remember the famous WannaCry ransomware attack? During its execution, it would create a file with the name “tasksche.exe” in your computer. Note that Windows OS has a legitimate process “tasksche.msc” with similar name.”, so this file (tasksche.exe) name was chosen by the ransomware to evade suspicion (common tactic among malwares to create files with names similar to legitimate Windows OS processes). So, the hoax creators most probably picked this file name from WannaCry attack details. Note that this particular file indicator is very well known to all antivirus companies at the date (that same file with same hash value, etc would get detected by your antivirus including in-built windows Defender). Again I say, being exe it WON’T EXECUTE IN YOUR PHONE,” read the post.

Newschecker learnt that WannaCry Ransomware was a high-profile ransomware attack that rapidly spread through computer networks around the world in May 2017. The attack targeted a vulnerability in old Windows versions, for which a patch was released by Windows more than two months before WannaCry spread across the world. Similar to the spread of ransomware through malicious links, phishing emails also reportedly spread malware through email attachments, which further confirms that fraudsters created the hoax message inspired by details from this ransomware attack.

“It is generally advisable to not open any executable files received via email. The tasksche.exe file mentioned in the hoax further confirms it is about the WannaCry attack,” Saini told Newschecker.

Also Read: Neither Gujarat, Nor Udhampur! Video From Nepal Shared As Aftermath Of Pakistan’s Attack On India

Sources
PIB Fact Check post, X, May 9, 2025
SBI post, X May 9, 2025
Canara Bank post, X, May 9, 2025
Indian Bank post, X, May 9, 2025
Bank of Baroda post, X, May 9, 2025
PNB post, X, May 9, 2025
Conversation with Karan Saini, cybersecurity researcher
X post, Sunny Nehra, founder of cybersecurity firm Secure Your Hacks, May 9, 2025