NCR's Aloha POS System Disrupted by Ransomware Attack

NCR Global, the American software and technology company, has suffered an outage of its Aloha point-of-sale (POS) platform across several restaurants. After a few days of radio silence, NCR disclosed the outage was caused by a ransomware attack on a data center responsible for powering the service. The technology platform provider confirmed the situation in a press release, stating the following:

"On April 13, NCR determined that a single data center outage that is impacting some functionality for a subset of its commerce customers was caused by a cyber ransomware incident. Upon such determination, NCR immediately started contacting customers, enacted its cybersecurity protocol and engaged outside experts to contain the incident and begin the recovery process. The investigation into the incident includes NCR experts, external forensic cybersecurity experts and federal law enforcement."

According to a statement by NCR to BleepingComputer, the current outage affecting their Aloha POS platform is specific to a subset of their hospitality customers. Moreover, NCR has stated that the blackout has only affected a "limited number of ancillary Aloha applications." That being said, some Aloha POS users on Reddit have claimed “significant issues in their business operations” have been caused by the outage.

NCR has confirmed that customers affected by the ransomware attack are experiencing reduced functionality in administrative functions. However, in-restaurant purchases and transactions continue to operate as usual.

The ransomware attack on NCR's Aloha POS platform has been claimed by the ransomware group BlackCat, which also goes by Alphv and Noberus. According to cybersecurity researcher Dominic Alvieri, who first noticed the hack gang’s now-deleted post, the ransomware group claimed that NCR representatives contacted them to find out what type of data had been stolen. Although the hackers did not allegedly steal any NCR data, they did obtain "a lot of credentials" to access NCR client networks.

The removal of the post mentioning NCR from the BlackCat ransomware group's leaked website indicates that negotiations may have begun. NCR stated that it has “a clear path to recovery,” and the company is “working around the clock to restore full service for our customers.”