Tuesday, November 12, 2024
HomeCyber Security NewsPayment Processing Giant NCR Global Hit By Ransomware Attack

Payment Processing Giant NCR Global Hit By Ransomware Attack

Published on

Malware protection

NCR, a major player in the US payments industry, admitted it was a target of a ransomware attack for which the BlackCat/Alphv group claimed responsibility.

On April 12, NCR revealed that it was looking into an “issue” with its Aloha restaurant point-of-sale (PoS) system. 

The business announced an outage at a single data center had affected just a few of its hospitality customers’ ancillary Aloha applications on April 15.

- Advertisement - SIEM as a Service

“On April 13, we confirmed that the outage was the result of a ransomware incident. Immediately upon discovering this development we began contacting customers, engaged third-party cybersecurity experts and launched an investigation. Law enforcement has also been notified,” NCR said.

NCR is a software and technology consulting firm in the United States that offers restaurants, enterprises, and retailers digital banking, POS systems, and payment processing solutions.

Since Wednesday, one of its products, the Aloha POS platform used in the hospitality industry, has been down, making it impossible for customers to use.

Ransomware Attack That Led to the Outages

After going silent for many days, NCR finally revealed today that the Aloha POS platform’s data centers were the target of a ransomware attack that triggered the outage.

“As a valued customer of NCR Corporation, we are reaching out with additional information about a single data center outage that is impacting a limited number of ancillary Aloha applications for a subset of our hospitality customers,” reads an email sent to Aloha POS customers.

According to a statement NCR provided to BleepingComputer, just a subset of their Aloha POS hospitality customers are affected by this outage, along with a “limited number of ancillary Aloha applications.”

However, Aloha POS customers have reported on Reddit that the downtime significantly hindered their ability to conduct business.

“Restaurant manager here, small franchise stuck in the Stone Age with around 100 employees. We’re doing the old pen and paper right now and sending to head office. The whole situation is a huge migraine,” a user wrote on the AlohaPOS Reddit.

Other users are anxious about making payroll on time for their employees, with many customers urging that data be extracted manually from the data files until the outage is resolved.

“We have a clear path to recovery and we are executing against it. We are working around the clock to restore full service for our customers,” NCR informed BleepingComputer. 

“In addition, we are providing our customers with dedicated assistance and workarounds to support their operations as we work toward full restoration.”

On the data leak site used by the BlackCat/ALPHV ransomware gang, cybersecurity researcher Dominic Olivieri saw a short-lived post where the threat actors took ownership.

A section of the negotiation dialogue between the ransomware gang and an alleged NCR official was also included in this post.

In his discussion, the ransomware group allegedly informed NCR that they had not stolen any server-stored data during the attack.

Threat actors stated that they had stolen login information for NCR’s customers and threatened to publish it if a ransom was not paid.

“We take a lot of credentials to your clients networks used to connect for Insight, Pulse, etc. We will give you this list after payment,” the threat actors told NCR.

BlackCat has since removed the NCR post from their data breach website, hoping the firm will agree to discuss a ransom.

With a highly advanced encryptor that allowed for extensive attack customization, the BlackCat ransomware gang began operating in November 2021 and had ransom demands ranging from $35,000 to over $10 million.

Internally, the threat actors use ALPHV when discussing their activities in negotiations and hacker forums.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Related Read:

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...