Cyber Incident Victim: NCR Corporation

On April 13, 2023, NCR Corporation confirmed that a ransomware incident was the cause of an outage impacting its Aloha point-of-sale platform. The outage had begun the previous Wednesday, affecting a subset of NCR's hospitality customers. NCR is an American software and technology consulting company that provides digital banking, point-of-sale systems, and payment processing solutions for restaurants, businesses, and retailers. The specific service disrupted was the Aloha POS platform used in the hospitality industry. Upon confirming the ransomware attack as the cause, NCR began contacting its affected customers, engaged third-party cybersecurity experts, and launched an investigation into the incident. The company also notified law enforcement agencies of the attack.

The ransomware group BlackCat, also known as ALPHV, claimed responsibility for the attack on NCR. This claim was observed on the group's data leak site by a cybersecurity researcher, though the post was subsequently removed. The BlackCat ransomware operation launched in November 2021 and is known for its highly sophisticated encryptor that allows for a wide range of customization in attacks. The group has become one of the most significant ransomware threats, responsible for hundreds of attacks worldwide with ransom demands ranging from $35,000 to over $10 million. The name BlackCat originates from the image of a black cat on its data leak site, though the threat actors refer to themselves internally as ALPHV.

According to a snippet of a negotiation chat conversation posted by the threat actors, they communicated with an alleged NCR representative. In this chat, the ransomware gang stated that they had not stolen any data stored on servers during the attack. However, they claimed to have taken credentials belonging to NCR's customers, specifically credentials used to connect to networks for services like Insight and Pulse. The threat actors explicitly stated, "We take a lot of credentials to your clients networks used to connect for Insight, Pulse, etc. We will give you this list after payment." This indicated their intent to use the stolen credentials as leverage to pressure NCR into paying a ransom, threatening to publish them if their demands were not met.

NCR characterized the incident as impacting a single data center and affecting only a limited number of ancillary Aloha applications for a subset of its hospitality customers. The company stated it had a clear path to recovery and was working around the clock to execute it and restore full service. In the meantime, NCR provided its impacted customers with dedicated assistance and workarounds to support their business operations during the outage. The company acknowledged that resolving outages caused by such cyberattacks in a secure manner often takes a significant amount of time.

The impact on customers, however, was severe despite NCR's characterization of the outage as limited. Restaurant managers and business owners using the Aloha POS platform reported significant disruptions to their operations on online forums like Reddit. One restaurant manager described the situation as a "huge migraine," explaining that their small franchise with approximately 100 employees was forced to revert to manual pen-and-paper processes for tracking orders and sending information to their head office. Other customers expressed concerns about their ability to process payroll for employees on time due to the system being unavailable. Some users recommended manually pulling data from data files as a temporary workaround until the service was fully restored.

The incident highlighted the broader trend of ransomware attacks causing extended operational disruptions for large enterprises and their downstream customers. NCR's response followed a pattern observed in other recent major cyberattacks, such as those affecting DISH Network and Western Digital, where recovery processes were complex and time-consuming. The engagement of third-party cybersecurity experts and the notification of law enforcement were part of a standard response protocol to such incidents. The removal of the claim from BlackCat's data leak site suggested ongoing negotiations between the company and the threat actors, though no official confirmation of any ransom payment was provided. The primary consequences of the attack were operational downtime for a segment of NCR's hospitality clients and the potential compromise of customer network credentials as claimed by the attackers.