NCR Aloha POS system
Source: NCR Aloha

NCR is suffering an outage on its Aloha point of sale platform after being hit by an ransomware attack claimed by the BlackCat/ALPHV gang.

NCR is an American software and technology consulting company that provides digital banking, POS system, and payment processing solutions for restaurants, businesses, and retailers.

One of their products, the Aloha POS platform used in hospitality services, has suffered an outage since Wednesday, with customers unable to utilize the system.

After days of silence, NCR has disclosed today that the outage was caused by a ransomware attack on data centers used to power their Aloha POS platform.

"As a valued customer of NCR Corporation, we are reaching out with additional information about a single data center outage that is impacting a limited number of ancillary Aloha applications for a subset of our hospitality customers," reads an email sent to Aloha POS customers.

"On April 13, we confirmed that the outage was the result of a ransomware incident."

"Immediately upon discovering this development we began contacting customers, engaged third-party cybersecurity experts and launched an investigation."

"Law enforcement has also been notified."

In a statement to BleepingComputer, NCR said that this outage impacts a subset of their Aloha POS hospitality customers and only a "limited number of ancillary Aloha applications."

However, Aloha POS customers have shared on Reddit that the outage has caused significant issues in their business operations.

"Restaurant manager here, small franchise stuck in the Stone Age with around 100 employees. We're doing the old pen and paper right now and sending to head office. The whole situation is a huge migraine," a customer posted to the AlohaPOS Reddit.

Other users are concerned about making payroll on time for their employees, with different customers recommending that data be pulled manually from the data files until the outage is over.

"We have a clear path to recovery and we are executing against it. We are working around the clock to restore full service for our customers," NCR told BleepingComputer. "In addition, we are providing our customers with dedicated assistance and workarounds to support their operations as we work toward full restoration."

Unfortunately, outages caused by cyberattacks like these tend to take quite a bit of time to resolve in a secure manner, as was seen with the recent DISH and Western Digital cyberattacks.

Do you have information about this or another ransomware attack? If you want to share the information, you can contact us securely on Signal at +1 (646) 961-3731, via email at lawrence.abrams@bleepingcomputer.com, or by using our tips form.

BlackCat claims the attack on NCR

While NCR did not share what ransomware operation was behind their attack, cybersecurity researcher Dominic Alivieri spotted a short-lived post on the BlackCat/ALPHV ransomware gang's data leak site where the threat actors claimed responsibility.

Delete NCR entry posted to BlackCat data leak site
Delete NCR entry posted to BlackCat data leak site
Source: Dominic Alvieri

This post also included a snippet of the negotiation chat conversation between an alleged NCR representative and the ransomware gang.

According to his chat, the ransomware gang told NCR they had not stolen any data stored on servers during the attack.

However, the threat actors claimed to have stolen credentials for NCR's customers and stated that they would be published if a ransom was not paid.

"We take a lot of credentials to your clients networks used to connect for Insight, Pulse, etc. We will give you this list after payment," the threat actors told NCR.

BlackCat has since taken down the NCR post from their data leak site, likely hoping the company would be willing to negotiate a ransom.

The BlackCat ransomware gang launched its operation in November 2021 with a highly sophisticated encryptor that allowed for a wide range of customization in attacks.

The ransomware gang received the name BlackCat due to the image of a black cat on its data leak site. However, the threat actors call themselves ALPHV internally when discussing their operation on hacking forums and in negotiations.

Since its launch, the ransomware operation has grown into one of the most significant ransomware active at this time, responsible for hundreds of attacks worldwide, with ransom demands ranging from $35,000 to over $10 million.

Related Articles:

Prudential Financial now says 2.5 million impacted by data breach

Change Healthcare lists the medical data stolen in ransomware attack

Patelco shuts down banking systems following ransomware attack

Affirm says cardholders impacted by Evolve Bank data breach

CDK Global says all dealers will be back online by Thursday