NCR is experiencing an outage on its Aloha POS platform as a result of a ransomware attack claimed by the BlackCat/ALPHV gang.
NCR is a software and technology consulting firm based in the United States that offers digital banking, POS systems, and payment processing solutions to restaurants, enterprises, and retailers.
One of their products, the Aloha POS platform used in the hospitality industry, has been down since Wednesday, preventing consumers from using the system.
After days of silence, NCR has revealed that the outage was caused by a ransomware attack on the data centers that power its Aloha POS systems.
"As a valued customer of NCR Corporation, we are reaching out with additional information about a single data center outage that is impacting a limited number of ancillary Aloha applications for a subset of our hospitality customers, On April 13, we confirmed that the outage was the result of a ransomware incident. Immediately upon discovering this development we began contacting customers, engaged third-party cybersecurity experts and launched an investigation. Law enforcement has also been notified, " reads an email sent to Aloha POS customers.
NCR told BleepingComputer that the outage affects only a fraction of its Aloha POS hospitality customers and a "limited number of ancillary Aloha applications." Customers of Aloha POS, on the other hand, have reported on Reddit that the downtime has caused considerable problems in their business operations.
"Restaurant manager here, small franchise stuck in the Stone Age with around 100 employees. We're doing the old pen and paper right now and sending it to head office. The whole situation is a huge migraine," a customer posted to the AlohaPOS Reddit.
Other users are concerned about making payroll for their employees on time, with many customers requesting that data be manually extracted from the data files until the outage is resolved.
"We have a clear path to recovery and we are executing against it. We are working around the clock to restore full service for our customers," NCR told BleepingComputer. "In addition, we are providing our customers with dedicated assistance and workarounds to support their operations as we work toward full restoration."
Unfortunately, interruptions induced by attacks like these can take a long time to fix in a secure manner, as evidenced by the recent DISH and Western Digital breaches. While NCR did not reveal which ransomware operation was responsible for their attack, cybersecurity researcher Dominic Alivieri discovered a brief post on the BlackCat/ALPHV ransomware gang's data breach site in which the threat actors claimed responsibility.
This post also featured a snippet of the alleged NCR representative's negotiation chat exchange with the ransomware gang. The ransomware group told NCR in his discussion that they had not stolen any data from servers during the attack. However, the threat actors claimed to have stolen NCR customers' passwords and threatened to publish them if a ransom was not paid.
"We take a lot of credentials to your clients networks used to connect for Insight, Pulse, etc. We will give you this list after payment," the threat actors told NCR.
BlackCat has subsequently removed the NCR post from their data breach site, most likely in the hopes that the corporation will be prepared to negotiate a payment. The BlackCat ransomware group began operations in November 2021, using a very sophisticated encryptor that allowed for a wide range of attack customization.
The ransomware group was given the name BlackCat after discovering an image of a black cat on its data leak site. However, while discussing their activity on cyber forums and in negotiations, the threat actors refer to themselves as ALPHV.
Since its inception, the ransomware operation has grown to become one of the major ransomware operations currently operating, responsible for hundreds of attacks globally, with ransom demands ranging from $35,000 to more than $10 million.
