Payment giant’s point-of-sale outage caused by ALPHV ransomware

On April 12, 2023, payment giant NCR reported it was looking into an issue with its point-of-sale (POS) systems that caused an outage, leaving customers unable to use the system.

The NCR Aloha POS systems are popular in hospitality services. Customers include Wendy’s, Chuck e Cheese, Café Rio, Leeann Chin, and FATZ Café. The NCR website claims the company helps over 100,000 restaurants run their operations. The outage primarily caused problems in the US but some European and Asia Pacific online ordering services were affected as well.

On April 13, NCR found that the root cause of the outage was the result of a ransomware incident. At this point it contacted customers, notified law enforcement, and initiated an investigation aided by third-party security experts.

In a statement on April 17, NCR reassured customers it was working hard to quickly restore functionality:

“We are committed to re-establishing secure access to the impacted Aloha and Counterpoint applications as quickly as possible. We are restoring impacted applications in a new secure environment. We will have further updates on the timeline for rebuilding this new environment, and we are targeting this week to bring these applications back online. We will also be contacting customers with a few key steps to access our new environment.”

Although NCR has released no specific information about the responsible ransomware group, it is rumored that ALPHV aka BlackCat was behind the attack after security researcher Dominic Alvieri found a post to that effect on the ALPHV leak site.

ALPHV has since removed the post in which they claimed to have stolen credentials belonging to NCR’s customers and threatened to publish these data if a ransom was not paid.

“We take a lot of credentials to your clients networks used to connect for Insight, Pulse, etc. We will give you this list after payment,”

The ransomware-as-a-service (RaaS) group ALPHV, also known as BlackCat or Noberus, is currently one of the most active. ALPHV was ranked #4 in our list of most prolific ransomware gangs last month.

ALPHV ransomware is used by affiliates who conduct individual attacks, breaching organizations using stolen credentials or by exploiting weaknesses in unpatched Microsoft Exchange servers. During the attacks, data is stolen and encrypted and the victim is asked to pay a ransom for both a decryption tool, and to prevent the stolen data from being leaked.