Olympus office building showing cyber attack and ransomware

Olympus Suffered a Second Cyber Attack That Disrupted Operations in the Americas a Month After a Ransomware Incident on EMEA Networks

Japanese medical tech giant Olympus suffered a subsequent cyber attack, almost exactly one month after hackers disrupted its European, Middle East, and Africa (EMEA) operations.

On its website, the company said it was investigating a “potential cybersecurity incident” detected on Oct 10, 2021.

The cyber attack shut down the company’s IT systems in the Americas, affecting the U.S., Canada, and Latin America with no impacts on other parts of the world, the company said.

Olympus said it was working with “appropriate third parties” and had taken necessary steps to protect its customers.

Olympus cyber-attack was a suspected ransomware incident

Olympus said it was working with the highest priority to resolve the incident and continue serving its customers securely.

“As part of the investigation and containment, we have suspended affected systems and have informed the relevant external partners,” the statement read. “The current results of our investigation indicate the incident was contained to the Americas with no known impact to other regions.

“We are working with appropriate third parties on this situation and will continue to take all necessary measures to serve our customers and business partners in a secure way.”

Olympus did not disclose whether customer data was accessed during the cyber-attack but promised to provide more information when it becomes available.

However, citing a ransom note left behind by the ransomware-as-a-service (RaaS) group BlackMatter, an insider told TechCrunch that Olympus was recovering from a ransomware attack.

Additionally, the ransom note pointed to BlackMatter’s Tor website used for collecting ransom from other victims.

“First reports state this attack was carried out by the BlackMatter ransomware gang, a fairly new group that is claiming to combine the best features of several other ransomware strains, including REvil and DarkSide, and that is said to be targeting only large enterprises,” noted Erich Kron, Security Awareness Advocate at KnowBe4.

BlackMatter is the successor of various ransomware gangs like DarkSide responsible for high-profile cyber-attacks against critical infrastructure and food processing facilities. The ransomware gang operates on the double extortion strategy, threatening to publish data online if the victim fails to pay a ransom. The group was responsible for the Iowa-based New Cooperative food and agricultural provider ransomware attack last month, demanding $6 million in ransom.

Similarly, BlackMatter was responsible for the Sep 8, 2021, “attempted malware attack” that disrupted operations in the EMEA segment. Olympus said the threat actor did not access customer data during the cyber-attack.

However, full attribution of the cyber-attack remains a difficult task given that BlackMatter provides its infrastructure to other threat actors in exchange for commissions after a successful cyber-attack.

Expect increased ransomware attacks

Most notably, the recent cyber attack took place on the weekend when in line with the FBI and CISA advisory warning that ransomware attacks increased on weekends and holidays “when offices are normally closed.”

Incidents observed include the DarkSide ransomware attack on critical infrastructure on the Mother’s Day weekend. Similarly, Sodinokibi/REvil ransomware attacks struck the U.S. and Australian meat facilities on the Memorial Day weekend and a U.S. IT critical infrastructure entity on the Fourth of July.

“Medical technology giants have proven to be a hot commodity among cybercriminals and ransomware groups due to their substantial customer bases, as well as the potential degree of impact that comes along with targeting companies in the medical industry,” said James Carder, Chief Security Officer and Vice President of LogRhythm.

He suggested that the latest cyber-attack on Olympus was the continuation of last month’s attack on the company.

“Unfortunately, ransomware is multi-staged and there is a persistence around the access, reconnaissance, and exfiltration that could be a remnant of September’s attack,” he continued. “While it hasn’t yet been disclosed whether any customer or company data has been compromised, the potential repercussions remain relevant. In the case of this attack, IT infrastructures and other vital affected systems have been shut down.”

With the developing pattern of cyber-attacks on Olympus Corporations, it’s difficult to determine if the ransomware attack cycle is over.

The company had promised its customers to get to the bottom of the matter after the last cyber-attack. However, it seems that it might have underestimated the level of infiltration.