Editor’s note: This article has been updated with additional details about NCR’s recovery efforts.
NCR, a payments processor that offers point-of-sale systems to restaurants and retailers, digital banking and ATM services, is still responding to and recovering from a ransomware attack that began impacting systems on April 12.
The cyberattack caused a data center outage that is impacting some functionality in Aloha, a POS used by restaurants, and Counterpoint, which integrates front- and back-office management systems for retailers, NCR said in an incident report update Monday. The company first publicly disclosed it was hit by a ransomware attack on April 15.
“At this time, our ongoing investigation also indicates that no customer systems or networks are involved,” the company said in its incident report. “None of our ATM, digital banking, payments or other retail products are processed at this data center.”
NCR on Tuesday said it aimed to fully restore the remote monitoring Command Center application within 24 hours, but hasn’t shared further updates and did not respond to a request for confirmation.
The payments processor also said efforts to restore Aloha Insight, NCR Back Office cloud and the Aloha Configuration Center are progressing.
“We previously shared our goal to bring all impacted applications back online this week, and while that remains our target, we hope to restore your services sooner,” the company said in its incident report update.
The attack against NCR follows ransomware attacks against Yum Brands and Five Guys in January.
In-restaurant purchases are still being processed, but other capabilities and business processes remain down, the company said. While restoration efforts remain underway, NCR said it has established local workarounds to support impacted customers’ operations.
“We are restoring impacted applications in a new secure environment. We will have further updates on the timeline for rebuilding this new environment, and we are targeting this week to bring these applications back online,” the company said.
NCR hasn’t disclosed how many customers are potentially impacted, and the company declined to answer questions. NCR claims more than 100,000 restaurant locations currently use its platform. Some restaurants are reportedly unable to access back office tools, process payroll or accept loyalty points and gift cards.
“POS systems remain an attractive target for adversaries in ransomware attacks given the business criticality of both the customer payment data and broader impact to business operations,” Bugcrowd CEO Dave Gerry said via email.
NCR hasn’t identified the threat actor behind the attack but the ransomware group BlackCat, also known as AlphV, claimed responsibility on its leak site, according to independent security researcher Dominic Alvieri.
The ransomware group claims it stole credentials, which it’s using as leverage for a ransom demand, according to Tim Morris, chief security advisor for the Americas region at Tanium.
“It isn’t known how the attacker got initial access,” Morris said via email. The data center impacted by the attack serves many POS systems in the hospitality industry, and the impact is likely widespread, Morris said.
NCR, which was founded in 1884, is undergoing an effort to separate into two public companies, with one focused on its operations supporting ATMs. NCR ended 2022 with about 35,000 employees and 10,000 contractors worldwide.
The company reported a 10% increase in annual revenue of $7.8 billion, with recurring revenue accounting for 62% of all revenue in 2022. Net income declined 34% to $64 million in 2022.