NCR Corp., best known for its retail point-of-sale and automatic teller machine technology, has been struck by a ransomware attack, causing outages to some of its services.

In a statement today, NCR said it detected a “cyber ransomware incident” on April 13 in a single data center, resulting in an outage that affected the “functionality for a subset of its commerce customers.” The company then ticked off a standard list of responses — informing affected customers, implementing its response plan, engaging a third-party cybersecurity company and informing federal law enforcement.

NCR added that the incident was limited to the specific functions of its Aloha cloud-based services and its Counterpoint product. No customer systems or network were involved, nor did the ransomware attack affect the company’s ATM, digital banking, payments or other retail products.

Although NCR didn’t provide details on the form of ransomware or any ransom demanded, Bleeping Computer reported that the BlackCat/ALPHV ransomware gang has claimed responsibility for the attack.

Timothy Morris, chief security advisor at endpoint management company Tanium Inc., confirmed to SiliconANGLE that BlackCat/ALPHV had claimed responsibility for the attack. However, in an interesting twist, the ransomware gang claims not to have stolen data but credentials that it’s using as leverage to receive a ransom payment.

“BlackCat has been around since about November 2021 and is considered to have a highly sophisticated encryptor that is customizable,” Morris said. “From the NCR notices, it appears that DFW (assuming Dallas Fort Worth) data center is the core of the attack. However, since that serves many POS systems in the hospitality industry, the impact is widespread.”

BlackCat/ALPHV has also been linked to a ransomware attack on Western Digital Corp. last week. However, neither the Western Digital attack nor the NCR one is listed on the group’s dark web hacking site as of the time of writing. But Leadaway Insurance Co. Ltd., SafHolland, the City of Yucatan and various others are listed on the group’s site.

Heath Renfrow, the co-founder of disaster recovery company Fenix24 Inc., noted that BlackCat/ALPHV operates on a Ransomware as a Service affiliate network basis that continually grows and recruits new members.

“The reasons they are so successful, if we want to call it that, are multifold,” he said. “They pay their affiliates better than most similar criminal networks, reportedly 80% to 90% of profits, versus 70% usually — a significant incentive to set up a new affiliate.”

Renfrow added that BlackCat/ALPHV uses the Rust programming language, which is harder to detect by conventional security solutions, can affect a broader range of systems, including Windows and Linux, and can spin up more complex ransomware strains that are harder to analyze. “Their methods are brutal for affected organizations,” he said. “They exfiltrate data using the double extortion method and their payload discovers all servers connected to a network and attempts to self-replicate.”

Photo: Mike Gonzalez/Wikimedia Commons