NCR, a prominent retail point-of-sale provider and provider of automated teller machine technology, has announced that it was hit by a ransomware attack on April 17th, disrupting some of its services.
According to the company’s statement, the “cyber ransomware incident” was detected in a single data center. It caused an outage that impacted a “subset of its commerce customers.” NCR quickly implemented its response plan, informed affected customers, engaged a third-party cybersecurity company, and notified federal law enforcement.
The company clarified that the ransomware attack was limited to the specific functions of its Aloha cloud-based services and its Counterpoint product. The incident did not affect any customer systems or networks or NCR’s ATM, digital banking, payments, or other retail products.
The BlackCat/ALPHV ransomware gang claimed responsibility for the attack
Tanium Inc.’s Chief Security Advisor, Timothy Morris, confirmed that BlackCat/ALPHV had claimed responsibility for the attack. Interestingly, the ransomware gang claims to only have obtained credentials as leverage. Normally, criminals also steal data to ensure the victim pays a ransom.
According to Morris, “BlackCat has been around since about November 2021 and is considered to have a highly sophisticated encryptor that is customizable. From the NCR notices, it appears that DFW (assuming Dallas Fort Worth) data center is the core of the attack. However, since that serves many POS systems in the hospitality industry, the impact is widespread.”
Rust strikes again
BlackCat/ALPHV was also linked to a ransomware attack on Western Digital Corp. last week. Neither the Western Digital attack nor the NCR one is listed on the group’s dark web hacking site as of the time of writing. However, parties such as Leadaway, SafHolland, the City of Yucatan, and various others are listed on the group’s site.
Heath Renfrow, the co-founder of disaster recovery company Fenix24 Inc., noted that BlackCat/ALPHV operates on a Ransomware-as-a-Service affiliate network basis that continually grows and recruits new members.
Renfrow added that BlackCat/ALPHV uses the Rust programming language. That language is harder to detect by conventional security solutions and can affect a broader range of systems. Both Windows and Linux are susceptible. Finally, it can spin up more complex ransomware strains that are harder to analyze.