NCR was the victim of BlackCat/ALPHV ransomware gang

NCR was the victim of the BlackCat/ALPHV ransomware gang, the attack caused an outage on the company’s Aloha PoS platform.

NCR Corporation, previously known as National Cash Register, is an American software, consulting and technology company providing several professional services and electronic products. It manufactures self-service kiosks, point-of-sale terminals, automated teller machines, check processing systems, and barcode scanners.

NCR is suffering an outage on its Aloha point of sale platform since Wednesday after it was hit by a ransomware attack conducted by the BlackCat/ALPHV ransomware group.

NCR Aloha POS is a comprehensive restaurant point-of-sale and management software, the company claims it is used by more cashiers and servers than any other POS in the industry.

The company has started notifying its customers, confirming the ransomware attack:

“As a valued customer of NCR Corporation, we are reaching out with additional information about a single data center outage that is impacting a limited number of ancillary Aloha applications for a subset of our hospitality customers. On April 13, we confirmed that the outage was the result of a ransomware incident.” reads the notice sent by the company to the customers via email.

NCR notified law enforcement and engaged third-party cybersecurity experts to investigate the incident and determine the scope of the attack.

The company pointed out that restaurants impacted are still able to serve their customers and that the incident only impacted a specific functionality.

“Only specific functionality is impaired. There is no impact to payment applications or on-premises systems.” continues the notice.

As reported by BleepingComputer, many customers are reporting [1,2] the problems they are facing due to the outage.

The BlackCat/ALPHV ransomware gang initially added NCR to the list of victims on its Tor data leak site, below the Tweet from the cybersecurity researcher Dominic Alivieri. The expert also published a chat message related to the negotiation between NCR and the ransomware gang.

The ransomware gang claims to have stolen credentials belonging to NCR’s customers and threatens to use them and leak them if the ransom was not paid.

At the time of this writing the group has removed the name of NCR from its leak site, likely because there is an ongoing negotiation.

BlackCat/ALPHV ransomware gang has been active since November 2021, the list of its victims is long and includes industrial explosives manufacturer SOLAR INDUSTRIES INDIA, the US defense contractor NJVC, gas pipeline Creos Luxembourg S.A., the fashion giant Moncler and the Swissport.

The ransom demands of the group range from a few tens of thousands of dollars up to tens of millions of dollars.

An affiliate of the ALPHV/BlackCat ransomware gang, tracked as UNC4466, was recently observed exploiting three vulnerabilities in the Veritas Backup solution to gain initial access to the target network.

Unlike other ALPHV affiliates, UNC4466 doesn’t rely on stolen credentials for initial access to victim environments. Mandiant researchers first observed this affiliate targeting Veritas issues in the wild on October 22, 2022.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NCR)