NCR Outage Hits Global Restaurant Chains Following Ransomware Attack

Restaurant owners who use the NCR Aloha point of sale system are currently experiencing "limited functionality" following a ransomware attack on an NCR data centre.

In its latest security update, NCR said it is aiming to bring all impacted applications back online by the end of this week, if not sooner.

“Our team continues our 24/7 efforts to execute on our recovery plan to re-establish secure access to impacted Aloha applications,” the company said.

“Please know we have heard your feedback and developed this plan based on the priority items we believe will help you get back to business as usual as soon as possible.”

NCR Aloha is one of the most popular POS systems in the world, and is used by more than 100,000 clients, including multinationals such as Nando’s, Brewdog, Burger King and Yo! Sushi.

It is described as an “all-in-one” restaurant POS system, providing clients with fixed and mobile hardware, digital ordering, third-party delivery integration, revenue management and analytics tools.

NCR’s latest update comes almost a week after it was first alerted to a potential data centre outage, according to the company’s incident report timeline.

At the end of last week, NCR said it had identified an outage at one of its data centres, and had determined that the centre had been hit by ransomware.

In response, NCR began contacting customers to inform them of the outage, enacted its cybersecurity protocol and engaged “outside experts” to limit the incident and initiate a recovery process.

Both federal law enforcement officials and external forensic cybersecurity experts are currently investigating the attack.

“At this time, our ongoing investigation indicates that no customer systems or networks are involved,” the company said in a statement.

“None of our ATM, digital banking, payments or other retail products are processed at this data center.”

Russian cybercriminals claim responsibility

In a since-deleted post on the eCrime.ch data leak site, Russia’s BlackCat/ALPHV gang claimed responsibility for the attack.

"During four days of silence and removal of any mention of ransomware on reddit, NCR representatives went into a chat room to find out what data had been stolen,” the group said.

“After receiving information that NCR data had not been stolen, but accessed their customers’ networks, they decided to make a press release.

“We are forced to take action regarding NCR customers. If you become our victim you know who to thank."

Although NCR has confirmed that the outage was caused by ransomware, it has given no indication as to whether it communicated with the attackers or what was said. VIXIO contacted NCR for further details but did not receive a response.

Lessons learned

The outage has left cybersecurity and payments professionals speculating as to whether NCR could have prevented the attack or contained it sooner.

James Azar, host of the CyberHub Podcast and chief information security officer (CISO) at AP4 Group, an industrial automation firm, told VIXIO that NCR should be given credit for limiting the attack to Aloha.

“Since NCR segmented their networks and products, they were able to contain the attack to Aloha rather than their entire product suite and work to restore services, which is easier said than done,” he said.

But until we know the full facts behind the attack, Azar said it is difficult to say how the attackers gained access to the Aloha network or how long they were there for.

There are “only several ways” to launch an attack of this kind, he said. These include gaining access through an unpatched, vulnerable server, operating system or hardware unit; compromised credentials; or a supply chain attack using a backdoor into Aloha.

As a major financial services provider, Azar said NCR would be a “prime target” for ransomware attackers, and the attackers’ choice of target came as “no surprise” to him.

“It’s critical to understand these types of attacks are part of a greater economic warfare that Iran, Russia and North Korea wage on the West to retaliate against sanctions and to get paid for financial losses due to those sanctions,” he said.

He added that ransomware is by far the biggest cyber risk faced by businesses, which must have protections in place should they be targeted.

“Ransomware is the cheapest, easiest and most common type of cyberattack today, and globally we see ransomware attacks daily,” he said.

“For payment companies, a well thought-out and constantly reviewed recovery plan is critical to be able to recover from this type of attack.”

Carrington Fisk, a certified payments professional of the Electronic Transactions Agency (ETA), said ransomware attacks are “far more prevalent” than most businesses and consumers realise, as most are not reported.

“The only reason we heard about this one is because NCR was unable to solve it quickly,” he said. “Over a week has passed since the original breach and merchants are still scrambling, unable to fully utilise their point of sale back office.”

Fisk said the attack should be a lesson for POS companies to protect against ransomware risk by keeping their hardware and software as up to date as possible.

“There are several legacy point of sale providers that have operated for decades with outdated hardware and software, riding the tides of excellence long past,” he said.

“Aloha is years behind the competition from both a feature set standpoint and a hardware standpoint. They continue to deploy new systems without full EMV integration, which in 2023 is shocking.”

Azar added that ransomware risk hinges on backups and the ability to quickly recover from the latest backup, while a new infrastructure is put in place to support the product.

“Great organisations can do this in under a week," he said. "Others can take months or years to recover from this type of attack."