Dissecting the NCR ransomware attack
The April cyber attack against NCR was unusual for two reasons: one was that the attack was not on a restaurant chain or retailer but on a company that provides financial services for these companies — particularly point-of-sale (POS) processing. Second, NCR publicized the attack after their incident response process required it to shut down systems functionality for its clients. But in other ways, it was very typical — the criminals who hacked into the system didn’t steal money directly, but blackmailed NCR to pay them with the threat of releasing information on customers gleaned from the POS software. This attack naturally concerned restaurants and retailers whose customer information is housed in the software.
Due to the sophistication of the attacks, they are less likely to be perpetrated by lone wolf-type criminals. Instead, cyber criminal gangs have arisen, such as Wizard Spider, LockBit, Royal, Vice Society and the perpetrator of the NCR attack, BlackCat, almost to the level of being considered international cartels. But there also are plenty of smaller gangs that go after smaller targets, Sedek said, so not being a giant company isn’t an automatic protection.
“These types of ransomware gangs typically want to go where they can extract the most damage or, at least, extract the biggest payment,” Sedek said. For that reason, “mom-and-pop”-type single-location restaurants and retail stores are not as desired as targets. More likely, a business with a chain of locations is a more desirable target.
Many ransomware attacks often go unreported, Sedek said, because of the damage in reputation it can cause a business — which might be more detrimental than the theft. Sedek said studies have shown that the reputational damage of a known data breach costs a company 4% worldwide in lost customers, and that that percentage is higher for U.S. companies. If the ransoming criminal keeps the demand for money low enough, a business might decide that it may make more sense for it to pay the ransom and receive back the stolen data. However, that approach only emboldens the criminals and oftentimes results in them striking back, asking for larger sums.