.svg)
US point of sale firm NCR has announced that its systems have been restored following a ransomware attack that knocked one of its most popular POS solutions offline.
In new updates posted to an incident report log, NCR confirmed that the main applications of its Aloha restaurant POS system are now back online.
These include the Aloha Configuration Center, NCR Back Office and Command Center, which have been restored in a new cloud environment.
Last month, as covered by VIXIO, more than 100,000 clients who use the Aloha system could have been affected, including multinationals such Nando’s, Brewdog, Burger King and Yo! Sushi.
With the Command Center application fully restored, NCR said that sales and ordering has resumed for the “subset” of customers that were affected by the outage.
The main challenge that affected users now face is the task of importing their sales data and other information from during the outage.
“You may now, at any time, import this data to begin syncing in the live environment,” said NCR. “For larger customers, please note data imports should be staggered to avoid latency.”
Aloha users can also begin adding information such as employee records, inventory postings, shift edits and deposits dating back to April 10, when the attack was first detected.
How did it happen?
In the immediate aftermath of the attack, Russia’s BlackCat/ALPHV gang took to the eCrime.ch data leak site to claim responsibility.
In a since deleted post, the group said it had communicated with NCR during the early days of the attack, before NCR informed its customers of the breach.
"During four days of silence and removal of any mention of ransomware on reddit, NCR representatives went into a chat room to find out what data had been stolen,” the group said.
“After receiving information that NCR data had not been stolen, but accessed their customers’ networks, they decided to make a press release.
“If you become our victim you know who to thank," the attackers added.
NCR has neither confirmed or denied that it communicated with BlackCat/ALPHV, and did not respond to VIXIO when asked.
Since the attack, cybersecurity professionals have speculated as to whether NCR could have detected the attack sooner and prevented it from affecting clients.
Kevin Reed, chief information security officer at Acronis, a cybersecurity firm, told VIXIO that NCR can be given credit for limiting the impact of the attack to only one product, but in other ways NCR’s response leaves room for improvement.
“Poor incident response practices stand out here,” said Reed. “Organisations should prepare themselves for these kinds of attacks: initial compromise is almost inevitable, but protection from a ransomware gang disrupting production is certainly possible.”
Reed said that what “distinguishes” this incident from most ransomware attacks, which are “very common”, is that Aloha's production infrastructure was compromised.
“Usually, ransomware attacks start with client compromise and then attackers move laterally through the enterprise network until they achieve admin domination or reach their other objectives.
“In this case, attackers either managed to move to production from the enterprise segment, which would point to insufficient internal isolation, or they managed to compromise production servers right away, which means NCR’s production infrastructure or applications were not secure.”
If systems are compromised, Reed said organisations should have regular backups on hand and should have conducted regular disaster recovery exercises.
“NCR was unable to acknowledge that it was responding to the attack for four days, which points to a paralysis at a decision-making level, as well as the cybersecurity engineering level.
“They denied the obvious while they were trying to call in external incident response consultants, when really I would expect a company of their size to have this capability in-house.”
For businesses that are frequently targeted by ransomware attacks, such as payment firms, Reed said the most important protections are often the simplest.
These include two-factor authentication (2FA), “patching” connected devices through software and operating system (OS) updates, and optimising malware protection and detection capabilities.
