zephyr_p - stock.adobe.com

Olympus likely victim of BlackMatter ransomware

Key IT systems remain shut off at Olympus, five days after what seems to have been a BlackMatter ransomware attack

The European operations of Japanese optical technology giant Olympus remain offline today, following an apparent ransomware attack, thought likely to be the work of the BlackMatter syndicate.

Although at the time of writing Olympus had disclosed only that it was investigating a cyber security incident, sources with insider knowledge of the incident, which occurred on Wednesday 8 September, told TechCrunch that a ransom note left on infected PCs indicated an attack by BlackMatter – the veracity of the note was confirmed by ransomware experts.

In a brief statement, the company said: “Upon detection of suspicious activity, we immediately mobilised a specialised response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners.

“We are currently working to determine the extent of the issue and will continue to provide updates as new information becomes available. We apologise for any inconvenience this has caused.”

The BlackMatter group first emerged during the summer of 2021, and was immediately linked by analysts and researchers to the now defunct DarkSide crew behind the Colonial Pipeline attack in May.

The group subsequently claimed that it had worked with DarkSide in the past, but that they are not one and the same. Research by Sophos analysts suggests it is also influenced by REvil – the fate and status of which remains somewhat uncertain.

Like many other ransomware gangs, it operates a ransomware-as-a-service (RaaS) operation, and openly seeks out initial access brokers (IABs) who can help it penetrate corporate networks – so far it has targeted enterprises with annual sales of over $100m.

Read more about ransomware

  • The debate around banning ransomware payments is highly nuanced, and we must take care to avoid overt victim-blaming, in favour of an open and honest approach, says SASIG’s Martin Smith.
  • Prevention is key when it comes to ransomware infections. But there are ways to recover data if a device is compromised. Uncover four key steps to ransomware removal.

It is also explicit about not attacking organisations such as hospitals or critical national infrastructure (CNI) operators, although like any claims made by a ransomware gang, this should be taken with a hefty pinch of salt.

CybSafe CEO and founder Oz Alashe commented: “The rising popularity of ransomware-as-a-service means it’s never been easier for criminals to carry out a cyber attack, even on tech giants.

“The practice ​​opens possibilities for those who want to commit ransomware attacks but previously did not have the technical capabilities or know-how to execute it. This auctioning off of services from groups such as BlackMatter increases the scope of threat, and also the number of potential targets.”

Anthony Gilbert, cyber threat intelligence lead at Bridewell Consulting, a security services provider, added: “Olympus will be still working through its incident response and digital forensics process to understand what was compromised and how. But the fact the business has had to shut down computer networks is concerning as every minute the business is not operating will impact both revenue and reputation.

“It’s not clear at this stage if the company has, or is going to pay the ransom, and this will largely depend on the company’s response process and interests of the organisation and its customers,” he said.

“The problem is, paying the ransom does not guarantee files will be successfully decrypted, nor prevent a second similar incident or doxxing blackmail to which the organisation may remain vulnerable.”

Read more on Hackers and cybercrime prevention