Payment giant’s point-of-sale outage caused by ALPHV ransomware

On April 12, 2023, payment giant NCR reported it was looking into an issue with its point-of-sale (POS) systems that caused an outage, leaving customers unable to use the system.

The NCR Aloha POS systems are popular in hospitality services. Customers include Wendy’s, Chuck e Cheese, Café Rio, Leeann Chin, and FATZ Café. The NCR website claims the company helps over 100,000 restaurants run their operations. The outage primarily caused problems in the US but some European and Asia Pacific online ordering services were affected as well.

On April 13, NCR found that the root cause of the outage was the result of a ransomware incident. At this point it contacted customers, notified law enforcement, and initiated an investigation aided by third-party security experts.

In a statement on April 17, NCR reassured customers it was working hard to quickly restore functionality:

“We are committed to re-establishing secure access to the impacted Aloha and Counterpoint applications as quickly as possible. We are restoring impacted applications in a new secure environment. We will have further updates on the timeline for rebuilding this new environment, and we are targeting this week to bring these applications back online. We will also be contacting customers with a few key steps to access our new environment.”

Although NCR has released no specific information about the responsible ransomware group, it is rumored that ALPHV aka BlackCat was behind the attack after security researcher Dominic Alvieri found a post to that effect on the ALPHV leak site.

ALPHV has since removed the post in which they claimed to have stolen credentials belonging to NCR’s customers and threatened to publish these data if a ransom was not paid.

“We take a lot of credentials to your clients networks used to connect for Insight, Pulse, etc. We will give you this list after payment,”

The ransomware-as-a-service (RaaS) group ALPHV, also known as BlackCat or Noberus, is currently one of the most active. ALPHV was ranked #4 in our list of most prolific ransomware gangs last month.

ALPHV ransomware is used by affiliates who conduct individual attacks, breaching organizations using stolen credentials or by exploiting weaknesses in unpatched Microsoft Exchange servers. During the attacks, data is stolen and encrypted and the victim is asked to pay a ransom for both a decryption tool, and to prevent the stolen data from being leaked.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.