Payment Processing Giant NCR Global Hit By Ransomware Attack

NCR, a major player in the US payments industry, admitted it was a target of a ransomware attack for which the BlackCat/Alphv group claimed responsibility.

On April 12, NCR revealed that it was looking into an “issue” with its Aloha restaurant point-of-sale (PoS) system. 

The business announced an outage at a single data center had affected just a few of its hospitality customers’ ancillary Aloha applications on April 15.

“On April 13, we confirmed that the outage was the result of a ransomware incident. Immediately upon discovering this development we began contacting customers, engaged third-party cybersecurity experts and launched an investigation. Law enforcement has also been notified,” NCR said.

NCR is a software and technology consulting firm in the United States that offers restaurants, enterprises, and retailers digital banking, POS systems, and payment processing solutions.

Since Wednesday, one of its products, the Aloha POS platform used in the hospitality industry, has been down, making it impossible for customers to use.

Ransomware Attack That Led to the Outages

After going silent for many days, NCR finally revealed today that the Aloha POS platform’s data centers were the target of a ransomware attack that triggered the outage.

“As a valued customer of NCR Corporation, we are reaching out with additional information about a single data center outage that is impacting a limited number of ancillary Aloha applications for a subset of our hospitality customers,” reads an email sent to Aloha POS customers.

According to a statement NCR provided to BleepingComputer, just a subset of their Aloha POS hospitality customers are affected by this outage, along with a “limited number of ancillary Aloha applications.”

However, Aloha POS customers have reported on Reddit that the downtime significantly hindered their ability to conduct business.

“Restaurant manager here, small franchise stuck in the Stone Age with around 100 employees. We’re doing the old pen and paper right now and sending to head office. The whole situation is a huge migraine,” a user wrote on the AlohaPOS Reddit.

Other users are anxious about making payroll on time for their employees, with many customers urging that data be extracted manually from the data files until the outage is resolved.

“We have a clear path to recovery and we are executing against it. We are working around the clock to restore full service for our customers,” NCR informed BleepingComputer. 

“In addition, we are providing our customers with dedicated assistance and workarounds to support their operations as we work toward full restoration.”

On the data leak site used by the BlackCat/ALPHV ransomware gang, cybersecurity researcher Dominic Olivieri saw a short-lived post where the threat actors took ownership.

A section of the negotiation dialogue between the ransomware gang and an alleged NCR official was also included in this post.

In his discussion, the ransomware group allegedly informed NCR that they had not stolen any server-stored data during the attack.

Threat actors stated that they had stolen login information for NCR’s customers and threatened to publish it if a ransom was not paid.

“We take a lot of credentials to your clients networks used to connect for Insight, Pulse, etc. We will give you this list after payment,” the threat actors told NCR.

BlackCat has since removed the NCR post from their data breach website, hoping the firm will agree to discuss a ransom.

With a highly advanced encryptor that allowed for extensive attack customization, the BlackCat ransomware gang began operating in November 2021 and had ransom demands ranging from $35,000 to over $10 million.

Internally, the threat actors use ALPHV when discussing their activities in negotiations and hacker forums.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Related Read:

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

CISA Proposes National Cyber Incident Response Plan

The Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a proposed update to the National…

51 minutes ago

Iranian Hackers Launched A Massive Attack to Exploit Global ICS Infrastructure

In a joint cybersecurity advisory, the FBI, CISA, NSA, and partner agencies from Canada, the…

3 hours ago

Next.js Vulnerability Let Attackers Bypass Authentication

A high-severity vulnerability has been discovered in the popular web framework, Next.js, which allows attackers…

3 hours ago

CISA Issues Secure Practices for Cloud Services To Strengthen U.S Federal Agencies

In a decisive move to bolster cloud security, the Cybersecurity and Infrastructure Security Agency (CISA)…

3 hours ago

Fortinet Critical Vulnerabilitiy Let Attackers Inject Commands Remotely

Fortinet, a global leader in cybersecurity solutions, has issued an urgent security advisory addressing two…

4 hours ago

Critical Chrome Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Google has released a new security update on the Stable channel, bringing Chrome to version 131.0.6778.204/.205…

5 hours ago