Attending InfoSec?

Black Cat Ransomware Group

BlackCat Ransomware Group Says Aloha to POS

Executive Summary

Cyber attacks can have a significant impact on point-of-sale (POS) services, which are used in retail environments to process transactions and collect payments from customers.

POS systems typically involve the use of software, hardware, and network components, which can be vulnerable to a variety of cyber threats.

A successful campaign targeting POS systems can result in credit card theft, transaction tampering, service disruption, brand damage and other severe organizational damage.

One great example of the risks and impact of compromising POS services is the BlackCat ransomware group’s campaign against NCR.

BlackCat Ransomware Group (ALPHV)

BlackCat ransomware group, aka ALPHV, are one of the most dominant ransomware groups.

With 81 published victims in Q1 of 2023, the group constantly positions itself as one of the top 3 ransomware groups in the industry.

Although the group was first discovered in November 2021, its origins go several years back the notorious DarkSide, which was responsible for one of the most impactful ransomware cases in history – the Colonial Pipeline Incident.

BlackCat Ransomware’s Victimology

When observing BlackCat ransomware group’s activity in the past month, the group mainly focuses on the business services sector and the Manufacturing industry.

As for their favorite countries, BlackCat targets primarily the United States, with 64% of their attacks targeting this region (Figure 1)

Figure 2: BlackCat ransomware group’s victims’ distribution by region in the past 30 days
Figure 1: BlackCat ransomware group’s victims’ distribution by region in the past 30 days

NCR Ransomware Attack

On April 12th, NCR, a technology company that provides various solutions for businesses, including point-of-sale (POS) systems for restaurants and retailers, was hit by a ransomware attack.

For several days before the announcement, Aloha POS customers reported issues with using and utilizing their systems, as this ransomware attack caused a massive outage that affected its point-of-sales systems.

Alphv (Blackcat) ransomware group published NCR on their blog on April 15th and took ownership of this attack, publishing it on their ransomware leak site.

Figure 2: BlackCat ransomware group’s posting about NCR on their site
Figure 2: BlackCat ransomware group’s posting about NCR on their site

As part of their leak site blog, BlackCat ransomware group claimed that they obtained NCR’s customers’ private information, such as credentials which made this case very sensitive.

An hour after the group’s announcement, the listing was removed, which might imply NCR is resuming their negotiations with the BlackCat ransomware group.

Impact of the NCR Ransomware Attack

The case of NCR did not only harm the operation and revenue of NCR as a company, but also its customers.

Given that NCR’s customers are businesses, a halt in the company’s operations caused massive slowness in their customers’ operations, as many of them had to use manual techniques to close the technological gaps caused by the attack.

In some cases, clients with thousands of employees could not export payroll data, which eventually caused additional problems.

The shockwaves of the NCR ransomware attack hit several levels and caused massive damage to both the company and its customers.

“Poor-men’s” Supply Chain Attack

Much like any supply chain attack, once you interfere with one link of the chain, you gain a hold of its valuables and the rest of the supply chain.

In the NCR case, we have BlackCat ransomware group’s confirmation that no NCR data has been taken.

However, we do know that BlackCat ransomware confirmed that they obtained valuable data on NCR’s customers, such as their credentials for additional services. We can also suspect that given access to various end-point systems, the threat actors may steal sensitive information such as credit card numbers, names, addresses, and other personal information.

Endpoint users who have used the company’s payment services could have their data stolen, which could lead to identity theft, fraudulent charges, and other issues. 

The Future of Point-of-Sale Attacks

Point-of-sale (POS) services are not new to cybercrime, although they were mostly targeted by fraud and identity theft campaigns in the past. The NCR ransomware attack shows that POS services are also appealing to ransomware groups and they might attract even more ransomware families targeting this type of business.

In the past two years, POS services targeting has been steadily declining due to the covid pandemic. As the world return to its normal course an increase in POS services attacks may play a dominant part in the retail threat landscape and the NCR ransomware attack is a great example for that.

Book a Demo

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start