NCR Ransomware attack
Editor Notes:
- 4/28 – Good writeup on CPO on BlackCat — From the NCR notices, it appears that DFW (assuming Dallas Fort Worth) data center is the core of the attack. However, since that serves many POS systems in the hospitality industry the impact is widespread. It is important in IT and cyber security to understand the dependencies for all systems.”
- 4/27 — A major user of Aloha is Wendy’s. They may have dodged a bullet as the ransomware targeted the cloud and Wendy’s has not yet transitioned the local restaurants to their new cloud system.
- 4/24 — From Ruggless at NRN — A spokesman for the Atlanta-based NCR said the company’s “team continues our 24/7 efforts to execute on our recovery plan to re-establish secure access to impacted Aloha applications.
- Online ordering has resumed for the subset of CMC customers impacted by the outage.
- each site’s sales and clock-in/out time information from the outage period was stored on the back-of-house controller, and customers could begin syncing that.
- The NCR Back Office applet in Pulse will not come online until the Pulse mobile app is restored, the company warned.
- 4/20 — Major chain with over 500 locations says the situation is still unresolved
- 4/18 By NRN — A restaurant operator in the Midwest said Tuesday that the incident continued to affect offline credit card processing, scheduling software and communications with inventory software. Paneras is doing scheduling manually, which is a real expensive hassle according to NRN contact.
- 4/18 Outages like this are critical to our industry especially SMB entities that don’t get the love that a Walmart or Amazon might. Even though if Dunkin is involved, that’s 12B in sales (one brand of Inspire Brands we should add).
- 4/17 NCR posted — NCR downplayed the “incident” while not providing any timeline for solution (or payoff).
- 4/16 we posted
- 4/15 Bleeping Computer posted
Here is the original “breaking news” from Bleeping Computer — lots of followup echos (many AI-generated I think).
It’s Sunday April 16th and apparently, the Aloha point of sale platform is suffering an POS outage. Not very reassuring for their mega customers like Walmart and Amazon whole foods either. NCR just went thru major reorganization after their stock bottomed out (along with Diebold for that matter) and a lot of personnel were shifted around or “retired”. Much the same thing happened to Rackspace and others when “cost-cutting” meant retiring “overpriced” expertise which turned out to be underpaid.
NRA show in Chicago in a month and mega booth for Aloha. It should be interesting.
- The outage began last Wednesday with customers unable to utilize the system.
- NCR disclosed yesterday the outage caused by ransomware attack
- NCR said that this outage impacts a subset of their Aloha POS hospitality customers and only a “limited number of ancillary Aloha applications.
- BlackCat claimed responsibility
- Credentials for NCR customers were stolen and would be published if not paid
- NCR issues PR on Monday morning
- limited to specific functionality in Aloha cloud-based services and Counterpoint.
- no customer systems or networks are involved
- None of our ATM, digital banking, payments, or other retail products are processed at this data center.
- Lots of outlets picked it up and reported today (Monday)
- “Ransomware attacks on POS platforms can have disastrous impacts on the hospitality industry, leading to service downtime and long-term disruption,” said Simon Chassar, chief revenue officer at Claroty. “Our research shows that 51% of the food and beverage sector reported substantial disruption when hit by a ransomware attack in 2021.
- This incident affects: North America (Aloha Insight-US, Aloha Keyless Licensing-US, Aloha Loyalty-US, Aloha Stored Value-US, Aloha Update-US, Command Center-US, Command Center WebOrder-US, Configuration Center-US, Configuration Center API-US, Customer Voice-US, Mobile Pay API-US, NCR Back Office (NBO)-US, Pulse Realtime-US, Pulse Realtime API-US, Radiant POS Management-US, Restaurant Guard Audit-US), Asia Pacific (Online Ordering Classic-APAC, Online Ordering API-APAC), and Europe (Online Ordering Classic-EU, Online Ordering API-EU).
- Ransomware & Active Directory — How to protect by Ransomeware.org
- 140,000 outlets worldwide include Dunkin’ Donuts, Brewdog, etc
- Reddit AlohaPOS thread & TheStack (nice writeup)
- Worth noting Dunkin Donuts is one of several brands owned and operated by Inspire Brands – Dunkin, Sonic, Jimmy Johns, Arbys, Baskin Robbins.. 32,000 restaurants with 3300 franchisees. Dunkin is 12B in sales.
- Shades of Target Stores — The likely scenario [in most ransomware attacks] is that they have full administrative access to your Active Directory. With domain admin level access, they have the keys to everything, including your back up. We see adversaries head straight for the backups, which they destroy, before they go ahead and do the rest of the damage. Best case scenario, you have your backups intact.
Excerpt
“We have a clear path to recovery and we are executing against it. We are working around the clock to restore full service for our customers,” NCR told BleepingComputer. “In addition, we are providing our customers with dedicated assistance and workarounds to support their operations as we work toward full restoration.”
Read full article From Bleeping Computer
Reddit Conversations
4/18/2023 10:30AM MT AlohaPOS — FOH manager here with large corporate restaurant. Most of us don’t code, as I’m sure you lucky bastards are aware, so we’ve gone fully old school. Pen, paper, and spreadsheets. Payroll from Tuesday/Wednesday of last week is a mess, because we weren’t able to edit punches or job codes. Basically we’ve overpaid quite a few folks. Additionally, we have several new employees we were unable to add to the system…so getting them paid has been more of a headache than usual. We quickly adapted and implemented checks and balances in operations, though. The biggest issues I’m facing: unable to chase inventory, and unable to chase dollars. Just been flying blind and hoping no one decided to steal this week…whilst frantically documenting every innocuous detail.
Anyone know how much BlackCat asked for? What they expected NCR to shell out?
Resources
- NRN post 4/18 – Ron Ruggless is senior editor there and highly respected.
- Not the first time for Aloha & NCR — How We Caught a Threat Actor Exploiting NCR POS Zero Day – SentinelOne
- NCR and Windows 7 — PDF NCR Security Alert
- October 2022 7-Eleven Ransomware Attack
More Posts
- Kiosk Hacks- Porn Video That Played in Union Station(Opens in a new browser tab)
- Kiosk Lawsuit Litigation – KT Intellectual Property and NCR Self-Serv(Opens in a new browser tab)
- Kiosk History – Blast From Past – NCR Room 504(Opens in a new browser tab)
- The Transformation of NCR — Harvard Business School(Opens in a new browser tab)
Restaurant Industry Facts at a Glance
- 2023 Sales Forecast: $997 billion
- 2023 Employment Forecast: 500,000 new jobs for total foodservice employment of 15.5 million
- 9 in 10 restaurants have fewer than 50 employees
- 7 in 10 restaurants are single-unit operations
- 8 in 10 restaurant owners started their industry careers in entry-level positions
- 9 in 10 restaurant managers started in entry-level positions
- 63% of adults have worked in the restaurant industry, making it the nation’s training ground
- Restaurants employ more minority managers than any other industry
- 41% of restaurant firms are owned by minorities – compared to 30% of businesses in the overall private sector.
- Waitstaff at fullservice restaurants earn a median of $27.00 an hour, with an upper quartile of $41.50 and a lower quartile of $19.00.