Ransomware, Threat Management, Cloud Security

Ransomware strikes POS platform used by NCR’s customers in hospitality industry

Malware Detected Warning Screen with abstract binary code 3d digital concept

NCR disclosed on Saturday that it was hit with a ransomware attack on its Aloha point-of-sale (POS) platform targeted towards the company’s hospitality and restaurant customers.

In a public statement, NCR said it confirmed the attack on April 13, which caused an outage that the company said impacted a “limited number” of ancillary Aloha applications for a “subset” of its hospitality customers.

While NCR did not say which ransomware group executed the attack, researcher Dominic Alivieri spotted a post that was later taken down on the BlackCat/ALPHV ransomware gang's site where BlackCat claimed responsibility.

BlackCat operates in a ransomware-as-a-service (RaaS) cyberattack model that compromises data in a system and makes monetary demands from the victims in exchange for the data. BlackCat ransomware came on the scene for the first time in November 2021 and has been tracked to a Russian-speaking group of cybercriminals.

One user posted on Reddit that his restaurant was having a tough time of it: “Restaurant manager here, small franchise stuck in the Stone Age with around 100 employees. We’re doing the old pen and paper right now and sending to head office. The whole situation is a huge migraine.”

Another manager on the same thread said they had luckily avoided the attack: “Thankfully we were in the process of switching to 3rd party provider for employees clocking in/out and payroll so we just pushed this forward a couple of days otherwise this would have been a nightmare with 800 staff across multiple locations. Good luck to all of you out there!”

POS systems remain an attractive target for adversaries in ransomware attacks given the business criticality of both the customer payment data and broader impact to business operations, said Dave Gerry, chief executive officer at Bugcrowd. 

“This is a timely example reinforcing that cyberattacks impact more than just the primary target,” Gerry said. “In this case, it hit potentially thousands of small businesses that rely on the NCR Aloha POS platform, once again reinforcing the need for deeper supply chain security and continuity.”

Matt Mullins, senior security researcher at Cybrary, said because of the size and impact of NCR’s systems and the reach they have, we can expect to see lots of other groups attacking companies that have used their products in the future. Mullins said these credentials will have more than likely already been sold to criminal organizations because of the low risk of being an initial access broker for other criminals.

“The Aloha application suite, which is tied to their cloud infrastructure, also has exposures via customer service,” Mullins said. “There are a number of ways one could estimate that the access was acquired, but a good guess would be phishing via a customer service portal. By simply acting like a known customer they could then phish their way into the main platform ecosystem and elevate from there.”

Heath Renfrow, co-founder at Fenix24, added that the BlackCat ransomware group has gotten a lot of press (which they actively encourage) because they have affected more than 60 organizations since they first appeared in 2021. Renfrow said they pay their affiliates better than most similar criminal networks: reportedly 80% to 90% of profits, versus 70% — a significant incentive to set up a new affiliate.

Renfrow said BlackCat uses the Rust programming language, which is harder to detect by conventional security solutions, can affect a broader range of systems, including Windows and Linux, and can spin up more complex ransomware strains that are harder to analyze.

“Their methods are brutal for affected organizations,” said Renfrow. “They exfiltrate data using the double-extortion method and their payload discovers all servers connected to a network and attempts to self-replicate.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.