A payment processing system used by over 100,000 restaurants and bars has been temporarily disrupted as its parent company, NCR, has been hit with a ransomware attack.
The Aloha point-of-sale (POS) system is primarily used by independent eateries and small local chains throughout the country to accept credit card payments. This and NCR’s Back Office app, a tool used for managing restaurant staffing and inventory, are impacted by the ransomware attack, though the full extent of damage is still being investigated.
NCR ransomware attack impacts restaurants’ ability to manage administrative functions
The ransomware attack’s primary impact on affected restaurants appears to have been reduced capabilities on specific Aloha cloud-based and Counterpoint functionality that has impacted their ability to manage restaurant administrative functions. Some that use Back Office may have also lost access to their staffing schedules, payroll and inventory systems during the outage. NCR says that only one of its data centers was hit, and that the facility does not store customer financial information of any sort. The company continues an internal investigation into the incident with the assistance of an external forensics firm and law enforcement agencies.
An April 17 statement from NCR confirmed that a ransomware attack was to blame. This followed the BlackCat/AlphV ransomware gang (one of the largest currently operating) claiming responsibility, though the group’s dark web post about the incident was only up for a short time before being removed. The post claimed that the group had not stolen NCR data but had taken login credentials that could open many doors to client systems, and that it had been contacted by NCR representatives.
While it is possible that the whole thing is some sort of a bluff, or that BlackCat’s access was cut off before it could obtain anything really valuable, the sudden removal of an extortion threat of this sort usually indicates that the attackers have entered negotiations with the victim. NCR has not commented on whether it intends to make a payment, or has already made one.
POS systems are obviously attractive to criminals as a means of intercepting credit card numbers, but there is no indication yet that those are at risk in this case.
Timothy Morris, Chief Security Advisor at Tanium, observes that the impact could still be broader than initially reported: “BlackCat/ALPHV claimed responsibility for the attack and stated that they didn’t steal any data but did take credentials that they are using as leverage to receive a ransom payment. BlackCat has been around since about November 2021 and is considered to have a highly sophisticated encryptor that is customizable. It isn’t known how the attacker got initial access. From the NCR notices, it appears that DFW (assuming Dallas Fort Worth) data center is the core of the attack. However, since that serves many POS systems in the hospitality industry the impact is widespread. It is important in IT and cyber security to understand the dependencies for all systems.”
“Every part of service delivery makes up the supply chain that needs protected. That includes access management. MFA and least privilege implementation, to make credential stealing difficult for all links in the chain. In addition, hardware and software inventories much be completed to support robust vulnerability and patch management programs. Lastly, the entire application delivery has to be monitored,” added Morris.
Active period for BlackCat includes breaches of industrial control systems, city governments
In action since late 2021, BlackCat has racked up an impressive victim count and has seemed to be particularly active in early 2023; it recently listed about 300 organizations on its dark web extortion site that it is actively attempting to extract payments from. The group shows a preference for targets in the United States, with a late 2022 Trend Micro study finding that is where it has hit about 40% of its victims.
It also attacks a wide variety of targets without any remorse about the level of real-world damage it might cause, from industrial control systems to hospitals. But it has also attacked computer hardware manufacturers, finance companies, Italy’s state-owned energy company, and a local city government in the Mexican state of Yucatán among others.
Part of both its varied target profile and its sustained activity is due to the fact that it aggressively follows known vulnerabilities, scanning for organizations that have not patched them out yet. It is equally aggressive in recruiting affiliates for its ransomware-as-a-service model, giving them a larger cut of the proceeds than is standard in the criminal underworld. And it is one of the first ransomware attack outfits to adopt the Rust programming language and use it to create custom tools and malware, something that automated defenses have not entirely caught up with yet.
The FBI has considered BlackCat a major threat since at least April 2022, when it issued a flash warning about dozens of US systems being compromised by the group in the prior months. The group’s ransomware attacks were likely so polished and successful right out of the gate due to participation by members of the former DarkSide crew, one of the biggest threats of 2021 and the perpetrators of the Colonial Pipeline attack. The group may also harbor former members of the BlackMatter ransomware group, which was another major player from mid-2020 to mid-2021.
BlackCat’s big business gamble was that giving its affiliates a bigger cut of the booty would inspire them to turn around and invest more of those profits into additional attacks. Their theory appears to be proving out so far. The group has leapt from tens of successful attacks each month in its early life to hundreds at present.
The group has proved flexible in following vulnerabilities, but it has some staples that it likes to go to. It uses custom malware that looks to steal Veeam backup credentials, it heavily targets unpatched Microsoft Exchange vulnerabilities, and it uses the seemingly deathless Emotet botnet to deploy ransomware payloads. It was also one of the first ransomware gangs to being advertising a Log4J Auto Exploiter tool to affiliates after that vulnerability became public knowledge in late 2022. After the US, it also shows a significant preference for targets in Canada, Europe and the Asia-Pacific region. It has also bucked the recent trend of ransomware attacks seeking bigger and bigger game as over half of its victims have been small businesses.
Heath Renfrow, Co-founder of Fenix24, notes that ransomware is far from going away and that smaller businesses need to be prepared for attention from some of these big groups that had previously passed them over: “There are still many things organizations can do to defend themselves, and many come back to basic-but-comprehensive layered security best practices. These include hardening endpoints, ensuring strong lateral movement defenses, limiting/disabling cached credentials on all endpoints, following NIST guidelines on password strength and rotation for privileged accounts, employing MFA wherever possible, and separating admin accounts from all others. It’s also important to block users’ access to clicking the wrong content by default at the IT level, so they can’t click the wrong links in the first place. Getting an overall security assessment is a great step to understanding where your vulnerabilities lie.”
James McQuiggan, security awareness advocate at KnowBe4, adds: “Organizations must prioritize cybersecurity measures to mitigate the risk of a potential attack through robust security programs, including awareness, training, and improve security culture. While it’s not easy to implement, organizations will benefit by conducting regular security audits, having a robust incident response plan, and educating employees frequently on the latest social engineering attacks to minimize their risk and mitigate the potential impact of a cyber attack. Organizations must prioritize cybersecurity measures and remain vigilant against the evolving threat landscape.”
Updated 28 April 2023: Corrected impact on restaurants.
