Cybercrime , Cybercrime as-a-service , Endpoint Security
Olympus: 'Potential Cyber Incident' Disrupted EMEA SystemSome Reports Suggest BlackMatter Was Attacker
Olympus, a Japanese company that manufactures optics and reprography products used in cameras and medical instruments, has reported that a portion of its IT system, and sales and manufacturing networks in the EMEA region were affected by an "attempted malware attack" on Sept. 8.
See Also: Webinar | How the SASE Architecture Enables Remote Work
The company did not disclose the identity of the cybercriminal(s) or the intent of the attack.
We [have] immediately suspended data transfers in the affected systems and have informed the relevant external parties,” the company says.
Olympus says it has mobilized a specialized response team, which includes forensics experts, to investigate the "suspicious activity." It is unclear if the attack is ongoing or not.
While Olympus has not identified an attacker, some reports suggest it is the BlackMatter ransomware gang.
“We cannot give any information or statement due to the ongoing process of both internal and external investigation,” Christian Pott, a spokesperson for Olympus, tells ISMG.
He adds: “The security, support and service of our customer has the highest priority and is not affected by this case. We would like to reassure all our customers and partners that our daily business operations are working as normal, ensuring the uninterrupted supply of our services for patients.”
In an updated statement on Tuesday, Sept. 14, the company says that it has not witnessed any evidence of loss, unauthorized use or disclosure of data.
"There is also no evidence that the cybersecurity incident affected any systems outside of the EMEA region," Olympus says.
The company’s IT team, Pott says, is working closely with internal stakeholders as well as external cybersecurity experts to reinstate all systems and services.
Additionally, the company has informed relevant government authorities about the incident as part of its responsible disclosure guidelines, the Olympus spokesperson says.
Clues to BlackMatter Involvement
Emsisoft threat analyst Brett Callow, in an email to ISMG, confirmed that a claimed ransom note obtained by digital publication TechCrunch matches a Tor-accessible site address, known to be used by BlackMatter operators to communicate with its victims.
TechCrunch, citing an anonymous source, had claimed that ransomware group BlackMatter is the primary suspect in the Olympus incident. The group, it says, left a ransom note saying: “Your network is encrypted, and not currently operational. If you pay, we will provide you the programs for decryption.”
Details such as the amount of ransom sought and the reportedly encrypted data could not be immediately ascertained.
On July 27, cybersecurity firm Flashpoint said that BlackMatter “posted a notice on forums stating they are looking to purchase access to infected corporate networks in the U.S., Canada, Australia and the U.K. with more than $100 million in annual revenue, presumably for ransomware operations.”
Based on this information, Olympus is likely a BlackMatter target, says TechCrunch, citing Emsisoft CTO, Fabian Wosar.
BlackMatter is believed to be a spinoff of the DarkSide, REvil and LockBit ransomware groups, adopting their “best features” (see: BlackMatter Ransomware Claims to Be Best of REvil, DarkSide).
BlackMatter first appeared on cybercrime forums XSS and Exploit on July 19, offering ransomware as a service, news platform The Record reported. It runs an affiliate-based model - similar to DarkSide's - in which it takes 30% of the total ransom cut from its affiliates for the service provided.
The BlackMatter ransomware group has also created a Linux version of its malware to target VMware's ESXi servers hosting virtual machines, according to security researchers at MalwareHunterTeam (see: BlackMatter Group Debuts Linux-Targeting Ransomware).
(Note: This story has been updated to reflect new information based on a statement from Olympus.)