US payments giant NCR confirmed over the weekend that a data center outage is the result of a ransomware attack. On April 13, NCR said it discovered the incident and immediately began contacting customers, engaging third-party cybersecurity experts, launching an investigation and notifying law enforcement. The ransomware group known as BlackCat, Alphv and Noberus took credit for the attack on its Tor-based leak website, but the post was quickly removed.
The post from the cybercriminals stated that they had not stolen any actual NCR data, though they did obtain “a lot of credentials” that can be used to access NCR customer networks. It appears the removal of the post suggests negotiations have started between the hackers and NCR. SecurityWeek has reached out to the company to find out if it plans on paying a ransom.
The BlackCat ransomware has been around since at least November 2021 and its leak website currently lists more than 300 victims. Mandiant warned recently that the hackers have been exploiting vulnerabilities in a Veritas data backup product for initial access.
NCR has not responded to questions regarding potential information compromise or the payment of a ransom, but it did tell SecurityWeek that the incident is limited to specific functionality in Aloha cloud-based services and Counterpoint, and that no customer systems or networks are involved. NCR is working to establish alternative functionality for customers, fully restore impacted data and applications, and to enhance its cyber security protections.
In summary, US payments giant NCR has confirmed that a data center outage is the result of a ransomware attack. The well-known ransomware group BlackCat, Alphv and Noberus took credit for the attack on its Tor-based leak website, though the post has since been removed. NCR is investigating the incident, engaging third-party cybersecurity experts, and working to establish alternative functionality for customers. NCR has not responded to questions regarding potential information compromise or the payment of a ransom, but it did confirm that no customer systems or networks are involved.