A point-of-sale (POS) application, Aloha, has been knocked offline by a ransomware attack affecting thousands of restaurants and retailers reliant on it for handling inventory and payroll for their staff, as well as payments.
The Aloha POS is used by 140,000 outlets worldwide. Owner NCR Corporation says customers include Brewdog, Dunkin Donuts, Gaucho, Nandos and other franchises. The Black Cat ransomware group has claimed credit and said it had gained access to customer data. The Stack could not immediately independently confirm this.
NCR confirmed on April 15 three days after reports of Aloha POS outage that the incident was caused by a ransomware attack, playing it down as limited to what it described in a letter to customers and public status update as “a single data center outage that is impacting a limited number of ancillary Aloha applications for a subset of our hospitality customers" and saying that there was "no impact to payment applications." (Many customers will be unlikely to put payments through a recently compromised application, regardless.)
The incident appears to have had global impact with Aloha POS users in both the US and UK reporting outages on a series of sub-Reddit discussions about the incident. One US customer said: “It’s affecting all stores (well over 700) of the company I work for. Not able to enter deposits, inventory, payroll. It’s a disaster."
One affected customer said: “I manage a global estate across 48 countries. It’s been hell and I just know this isn’t going away anytime soon... it’s a franchise based company and I work for the parent and I’m responsible for their in store solutions including POS. We don’t have Aloha in all markets but a good percentage are running it.”
Another in the UK said: "Affecting sites here in the UK as well. Command Centre works fine, but CFC, Pulse and NBO is down.” (Respectively, these refer to configuration centre, data analytics, and staff management applications.)
UPDATED April 19: NCR said on April 18 that "our team continues our 24/7 efforts to execute on our recovery plan to re-establish secure access to impacted Aloha applications. Please know we have heard your feedback and developed this plan based on the priority items we believe will help you get back to business as usual as soon as possible."
The Aloha POS outage
NCR, which claims that over 1.5 million restaurant workers are trained on Aloha, provides hardware and software across retail, hospitality and banking, including “account opening software unifies the sales and onboarding experience across digital, branch and call center channels for mid-market community banks and credit unions.” It generated $7.8 billion in revenues in 2022.
In the standard risk section of its last annual report NCR emphasised that in 2022 “spending on cybersecurity efforts represented approximately 10% of its overall IT spend” adding in boilerplate that “there can be no assurance that the Company or its cybersecurity consultants will be able to prevent or remediate all future incidents or that the cost associated with responding to any such incident will not be significant…”
One affected customer said on Reddit: “Restaurant manager here, small franchise stuck in the Stone Age with around 100 employees. We’re doing the old pen and paper right now and sending to head office. The whole situation is a huge migraine” with another adding that “I’m batch converting and combining ADIJTIME dbf files from each site for this week’s pay period coming up. It’s ugly but I’m hoping I’ll only have to do it once…”
Recovering from ransomware can be a gruelling journey
Even if a ransom is paid or the company had recent backups that were well segmented away from affected systems, recovery after a ransomware incident can take weeks at best, to several months.
As one experienced ransomware incident response professional recently wrote in The Stack, “even with unlimited resources [one recently impacted large organisation] took three months to get 95% recovered… The likely scenario [in most ransomware attacks] is that they have full administrative access to your Active Directory. With domain admin level access, they have the keys to everything, including your back up. We see adversaries head straight for the backups, which they destroy, before they go ahead and do the rest of the damage. Best case scenario, you have your backups intact. Have you actually tested how long it will take to restore everything? If you have a fully bricked system you will need to start by reinstalling the operating system first, then applications and services..."
Alex Papadopoulos, Director, Incident Response Consulting, Secureworks, added in his article on recovering from ransomware: “In another IR engagement, the impacted organisation had backups which survived the intrusion and ransomware. What didn’t survive was the victim’s Active Directory. Functionally, they couldn’t even start the process of restoring because their backup solution required Active Directory to log in. They needed to authenticate, and nothing worked. The customer had to fix this basic building block before they could do anything else. It’s a basic building block, but one that requires specialist expertise which they did not have inhouse.”
Simon Chassar, CRO at Claroty, said of the Aloha POS outage said: “Ransomware attacks on POS platforms can have disastrous impacts on the hospitality industry, leading to service downtime and long-term disruption. Our research shows that 51% of the food and beverage sector reported substantial disruption when hit by a ransomware attack in 2021. Moreover, these attacks can cause significant financial losses for organisations, with more than a third stating that the revenue impact of operational disruption would be at least $1m per hour.”
He added: “As the hospitality industry continues to connect more cyber-physical systems such as POS and IoT devices to their networks; such as smart buildings Heating, Power and Lighting, CCTV etc, organisations expose themselves to new cyber threats and vulnerabilities, which can lead to costly operational downtime.
NCR said on April 15, without giving customers any timeline: “Please rest assured that we have a clear path to recovery and we are executing against it. We are working around the clock to restore full service for our customers. In addition, we are providing our customers with dedicated assistance and workarounds to support their operations as we work toward full restoration. Restaurants impacted are still able to serve their customers. Only specific functionality is impaired. There is no impact to payment applications or on-premises systems.”
Are you affected? Feel free to pop us a line and share experience, on or off-the-record.