Rido - stock.adobe.com

Restaurants hit by IT problems after BlackCat attack on supplier NCR

Ransomware attack on systems of payments giant causing service outages for restaurants around the world

An undisclosed number of users of multinational payment giant NCR’s Aloha point of sale platform for hospitality businesses are experiencing an ongoing outage to their service, following a BlackCat ransomware attack last week.

The outage is impacting multiple elements of the Aloha platform in North America, and a limited number of services in both Europe and Asia-Pacific, mostly relating to online ordering.

The incident began on or around Wednesday 12 April and manifested as an outage to the organisation’s DFW05 datacentre that impacted a “limited number of ancillary Aloha applications” for a “subset” of its customers.

In a statement, NCR said: “On 13 April, we confirmed that the outage was the result of a ransomware incident. Immediately upon discovering this development we began contacting customers, engaged third-party cyber security experts and launched an investigation. Law enforcement has also been notified.

“Please rest assured that we have a clear path to recovery and we are executing against it,” it said. “We are working around the clock to restore full service for our customers. In addition, we are providing our customers with dedicated assistance and workarounds to support their operations as we work towards full restoration. Restaurants impacted are still able to serve their customers. Only specific functionality is impaired. There is no impact to payment applications or on-premise systems.

“The security and integrity of our systems is a top priority for NCR,” the organisation said. “We will continue to keep you updated with pertinent information and will let you know as soon as impacted services have been fully restored. In the meantime, please contact NCR Support or your account representative if you have any questions or need additional support.”

The attack was claimed by BlackCat on Saturday 15 April, as initially reported by security researcher Dominic Alvieri. In a post to its dark web leak site, the gang said that NCR had contacted it to establish what data has been stolen, which is supposedly customer credentials used to access Aloha. These posts have subsequently been removed from the BlackCat site.

Read more about ransomware

Users of NCR’s Aloha platform in the UK include high-profile chains such as BrewDog, Dishoom, Gaucho and Yo! Sushi. There is no indication that data from any of these organisations has been stolen, but posts to the dedicated Aloha Subreddit suggest that the outage has had some impact in the UK.

“Ransomware attacks on POS platforms can have disastrous impacts on the hospitality industry, leading to service downtime and long-term disruption,” said Simon Chassar, chief revenue officer at Claroty.

Our research shows that 51% of the food and beverage sector reported substantial disruption when hit by a ransomware attack in 2021. Moreover, these attacks can cause significant financial losses for organisations, with more than a third stating that the revenue impact of operational disruption would be at least one million dollars per hour.”

He said that as the hospitality industry automates and digitises further, its overall risk surface is liable to increase, and with the sector still struggling in the wake of the Covid-19 pandemic, it can ill afford downtime arising from ransomware.

Therefore, Chassar said, it’s essential that hospitality businesses try to implement more proactive practices to secure their systems.

“Businesses must have visibility across their entire network for all assets connected to understand their risk posture and provide patches to critical assets such as operational technology and IoT devices,” he said. “It is also essential to segment their networks to restrict unnecessary connectivity and the movement of malware to mitigate the impact of cyber attacks.”

Who is BlackCat?

BlackCat – which also goes by ALPHV and Noberus – shot to prominence in early 2022 with a series of heists on critical infrastructure organisations in Europe. The operation is backed by a group tracked as Coreid, FIN7 and Carbon Spider in various threat matrices, a long-established player in the Russia-based or -linked ransomware “community”.

By late 2022, it had emerged as a highly dangerous actor, with frequent updates to its locker malware including an ARM build to encrypt non-standard architectures, and better encryption functionality for its Windows and Linux builds.

BlackCat is a relatively consistent threat compared with the likes of LockBit, but it upped its attacks in February, accounting for roughly 13% of ransomware attacks booked in NCC’s telemetry for the period, as documented in its monthly threat report.

Read more on Data breach incident management and recovery

Data Center
Data Management