Monday, May 5, 2025
HomeCyber Security NewsPayment Processing Giant NCR Global Hit By Ransomware Attack

Payment Processing Giant NCR Global Hit By Ransomware Attack

Published on

SIEM as a Service

Follow Us on Google News

NCR, a major player in the US payments industry, admitted it was a target of a ransomware attack for which the BlackCat/Alphv group claimed responsibility.

On April 12, NCR revealed that it was looking into an “issue” with its Aloha restaurant point-of-sale (PoS) system. 

The business announced an outage at a single data center had affected just a few of its hospitality customers’ ancillary Aloha applications on April 15.

- Advertisement - Google News

“On April 13, we confirmed that the outage was the result of a ransomware incident. Immediately upon discovering this development we began contacting customers, engaged third-party cybersecurity experts and launched an investigation. Law enforcement has also been notified,” NCR said.

NCR is a software and technology consulting firm in the United States that offers restaurants, enterprises, and retailers digital banking, POS systems, and payment processing solutions.

Since Wednesday, one of its products, the Aloha POS platform used in the hospitality industry, has been down, making it impossible for customers to use.

Ransomware Attack That Led to the Outages

After going silent for many days, NCR finally revealed today that the Aloha POS platform’s data centers were the target of a ransomware attack that triggered the outage.

“As a valued customer of NCR Corporation, we are reaching out with additional information about a single data center outage that is impacting a limited number of ancillary Aloha applications for a subset of our hospitality customers,” reads an email sent to Aloha POS customers.

According to a statement NCR provided to BleepingComputer, just a subset of their Aloha POS hospitality customers are affected by this outage, along with a “limited number of ancillary Aloha applications.”

However, Aloha POS customers have reported on Reddit that the downtime significantly hindered their ability to conduct business.

“Restaurant manager here, small franchise stuck in the Stone Age with around 100 employees. We’re doing the old pen and paper right now and sending to head office. The whole situation is a huge migraine,” a user wrote on the AlohaPOS Reddit.

Other users are anxious about making payroll on time for their employees, with many customers urging that data be extracted manually from the data files until the outage is resolved.

“We have a clear path to recovery and we are executing against it. We are working around the clock to restore full service for our customers,” NCR informed BleepingComputer. 

“In addition, we are providing our customers with dedicated assistance and workarounds to support their operations as we work toward full restoration.”

On the data leak site used by the BlackCat/ALPHV ransomware gang, cybersecurity researcher Dominic Olivieri saw a short-lived post where the threat actors took ownership.

A section of the negotiation dialogue between the ransomware gang and an alleged NCR official was also included in this post.

In his discussion, the ransomware group allegedly informed NCR that they had not stolen any server-stored data during the attack.

Threat actors stated that they had stolen login information for NCR’s customers and threatened to publish it if a ransom was not paid.

“We take a lot of credentials to your clients networks used to connect for Insight, Pulse, etc. We will give you this list after payment,” the threat actors told NCR.

BlackCat has since removed the NCR post from their data breach website, hoping the firm will agree to discuss a ransom.

With a highly advanced encryptor that allowed for extensive attack customization, the BlackCat ransomware gang began operating in November 2021 and had ransom demands ranging from $35,000 to over $10 million.

Internally, the threat actors use ALPHV when discussing their activities in negotiations and hacker forums.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Related Read:

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site...

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...

Researcher Uses Copilot with WinDbg to Simplify Windows Crash Dump Analysis

A researcher has unveiled a novel integration between AI-powered Copilot and Microsoft's WinDbg, dramatically...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site...

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...