Company signboard Olympus on building showing ransomware attack

Olympus Suffers a Suspected BlackMatter Ransomware Attack

Japanese tech giant Olympus suffered a suspected BlackMatter ransomware attack that infected computers on its EMEA (European, Middle East, and Africa) segment.

However, the company only hinted that it was investigating a “potential cybersecurity incident” that began on September 8 in the morning.

It was later determined to be a BlackMatter ransomware attack after the cybercrime gang left a ransom note demanding payment in exchange for “programs for decryption.”

With a global workforce of 31,600, Olympus is well known for manufacturing digital cameras, a unit that was later sold off to OM Digital Solutions after recording poor performance.

Olympus currently manufactures optical and digital technology for the medical and life sciences industry.

Olympus acknowledges a suspected ransomware attack

Olympus acknowledged the cyber incident adding that it had “mobilized a specialized response team including forensics experts” that was “working with the highest priority to resolve this issue.”

“As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners,” the company added. “We are currently working to determine the extent of the issue and will continue to provide updates as new information becomes available.”

Without providing more detail, Olympus spokesman said that the company’s customer service was not affected.

The company later released a statement describing the incident as “an attempted malware attack” adding that it had alerted the relevant government authorities.

Additionally, Olympus said the incident did not affect its operations outside the EMEA region, and no loss, unauthorized use, or disclosure of its data was discovered during the initial investigation.

Given the reputational damage associated with ransomware attacks, many companies are very cautious about acknowledging them.

BlackMatter was responsible for the Olympus ransomware attack

Olympus did not disclose the identity of the threat actor behind the attack citing an internal investigation. Similarly, BlackMatter’s data leak website did not list Olympus as a victim.

However, all evidence implicated the ransomware gang, according to the technology website TechCrunch that first reported the breach.

According to a person familiar with the matter, BlackMatter left a ransom note demanding payment through a Tor web address used by the group.

“Your network is encrypted, and not currently operational,” the note said. “If you pay, we will provide you the programs for decryption.”

“Organizations are kept up at night by the prospect of being hit by ransomware, and now Olympus, an international tech company, is the latest victim,” Saryu Nayyar, CEO, Gurucul, said. “In the case of Olympus, it was the BlackMatter ransomware, which is essentially the same as the attack on the Colonial Pipeline back in April. Unless BlackMatter relents, it has the potential to cost Olympus millions of dollars to get its network unencrypted.”

BlackMatter succeeded DarkSide, REvil, and RagnaRok ransomware gangs

BlackMatter is a ransomware-as-a-service (RaaS) operator that succeeded several ransomware operators, including REvil, RagnaRok, and DarkSide gang. The latter shut down after increased law enforcement pressure following the Colonial Pipeline ransomware attack.

Some experts believe that BlackMatter is just a rebranding of the DarkSide ransomware group intended to distance itself from high-profile attacks witnessed recently. Experts say BlackMatter’s tactics match those employed by the DarkSide ransomware group.

“The adversary behaviors and tactics, techniques, and procedures (TTPs) seem to be very similar for DarkSide and BlackMatter,” Jorge Orchilles, CTO, SCYTHE. “It can be suggested that the threat actor simply changed their name and took a little break to distance themselves from the Colonial Pipeline breach. While it may seem we have had less ransomware attacks the past couple of months, we expect these types of double extorsion ransomware attacks to continue at full force the remainder of the year.”

BlackMatter rents its infrastructure for other threat actors in exchange for a commission for every successful ransomware attack. Since June the group has been responsible for at least 40 ransomware attacks, according to Emsisoft.

“The rising popularity of ransomware-as-a-service means it’s never been easier for criminals to carry out a cyberattack, even on tech giants,” says Oz Alashe,CEO and founder at CybSafe. “The practice opens possibilities for those who want to commit ransomware attacks but previously did not have the technical capabilities or know-how to execute it. This auctioning off of services from groups such as BlackMatter increases the scope of the threat, and also the number of potential targets.”