A subset of NCR’s 100,000 restaurant customers remain without access to back-office payments tools and gift card functions after a major point-of-sale and digital banking software maker suffered a ransomware attack against one of its data centers last week.
While NCR has not specified the strain of ransomware that infiltrated the data center, ransomware development group Alphv briefly claimed responsibility for the attack in a post to its blog on Saturday,
On Monday, NCR
NCR declined to answer questions about the incident, instead reiterating its Monday statement that purchases made at restaurants using its point-of-sale software Aloha continue to operate, but certain "administrative functions" are limited for some customers. Counterpoint, another point-of-sale product from NCR, was also affected.
"We believe this incident is limited to specific functionality in Aloha cloud-based services and Counterpoint," the company said. "At this time, our ongoing investigation also indicates that no customer systems or networks are involved. None of our ATM, digital banking, payments, or other retail products are processed at this data center."
Restaurants reported troubles accessing back-office tools, accepting gift cards and using NCR's data dashboard Pulse,
Alphv ransomware, also known as BlackCat and Noberus, has increasingly been used against U.S.-based companies in manufacturing and financial services, according to Matthew Radolec, senior director of incident response and cloud operations for cybersecurity firm Varonis.
"Small- to medium-[size] financial services companies are prime real estate for not just Alphv but any ransomware-as-a-service actor," Radolec said. Such financial institutions tend to have the money threat actors ask for as ransom, and they "might be willing to pay the ransom," he said, to suppress news of a breach.
Alphv may not be the primary malware threatening financial institutions. A cybersecurity consortium for banks specifically called out
The hacker group is threatening to publish personal data from multiple U.S. financial institutions and using known vulnerabilities to get into their systems.
Alphv ransomware tends to be particularly difficult to detect, allowing the malicious code to remain unnoticed in victim computer systems for long periods as criminals look for ways to gain greater system access.
"That puts them an echelon or two above your off-the-shelf ransomware actor who does not go as far to try to cloak what they're doing," Radolec said. "They can also spend time studying common defenses to try to build bypasses."
Alphv's sophistication is more than technical; the group sells its services to anyone willing to work with the criminal group. While affiliates choose the targets, Alphv also has a hand in targeting specific sectors and regions through its marketing, according to Radolec.
One major factor that differentiates Alphv from other ransomware strains is the amount of money its users get to keep following an attack. According to Radolec, affiliates keep 90% of proceeds, which is far more than the splits offered by other ransomware providers.
This ransomware-as-a-service scheme means that Alphv is not the only entity financial institutions need to worry about. Anyone who has stolen credentials — or even current or former employees with logins for sensitive systems — can contact Alphv developers for help exploiting that access for financial gain.
That threat extends beyond Alphv to any ransomware group offering their services to willing affiliates, according to Brett Callow, a cybersecurity researcher for Emsisoft.
"As more and more money has poured into the ransomware ecosystem, the groups become better organized, more professional," Callow said. "They now operate in some ways very much like regular businesses."
While Alphv offers a distinct strain of ransomware, the people who build and maintain the ransomware are only loosely affiliated with Alphv specifically, Callow said. Alphv appears to share many of the same characteristics and members as DarkSide and BlackMatter, two largely inactive ransomware strains, he said.
"These groups are somewhat more amorphous," Callow said. "Some may leave and move on to do other things, and eventually, the group might bear no personnel similarities to the original one."
In evaluating the threat that ransomware poses, financial institutions need to understand that the people building the ransomware pose a different threat than the people using the ransomware, according to Radolec. The people using the ransomware might have stolen credentials themselves or bought them on the dark web.
"The enterprise that ransomware has become is, I think, the most understated thing," Radolec said. "It's like a corporation with subcontractors and agreements and rules."
