Tech giant Olympus reportedly hit by BlackMatter ransomware

Tech giant Olympus reportedly hit by BlackMatter ransomware

Image:
Tech giant Olympus reportedly hit by BlackMatter ransomware

The firm says it is working to determine the extent of the breach

Japanese tech firm Olympus is investigating 'a potential cybersecurity incident' that affected its business units in Europe, the Middle East and Africa (EMEA).

In a press statement released over the weekend, the company said that it detected a suspicious activity on its computer systems on 8th September and 'immediately mobilised a specialised response team including forensics experts'.

As a precautionary measure, data transfers in the affected machines were suspended, and the relevant external partners were notified about the incident.

Olympus says it is currently working with the highest priority to determine the extent of the breach and to resolve the issue as soon as possible. The company apologised to everyone affected as a result of the incident.

Olympus is a Tokyo-based multinational firm, with more than 31,600 employees worldwide. It specialises in manufacturing a range of scientific and medical equipment, including ultrasound and microscopes tools. Olympus was a pioneer in both analogue and digital cameras, but sold off its camera division earlier this year.

While Olympus did not provide any information about the nature of the cyber incident or the people who might be behind the attack, the sources with knowledge of the matter told TechCrunch that the company had fallen victim to a ransomware attack from BlackMatter extortion group.

The attacker left a note on encrypted systems and promised to decrypt them in exchange for payment, TechCrunch sources said.

'Your network is encrypted, and not currently operational,' the note reportedly reads.

'If you pay, we will provide you the programs for decryption.'

The ransom note also directed recipients to visit a web page that is said to be accessible only through the Tor browser and is used by BlackMatter group to communicate with its victims.

According to security experts, BlackMatter ransomware group is revamped version of DarkSide, the Russia-based group that encrypted computer systems of Colonial Pipeline in May.

The shutdown of the Colonial's system sparked panic in the southeastern US, with residents seen lining up at petrol pumps for several hours over fears of fuel shortage. Petrol prices rose as a result of fuel supply disturbance, and some stations also ran out of fuel.

A report by Bloomberg said that Colonial Pipeline paid nearly $5 million (about £3.55 million) ransom to DarkSide gang, hours after the company's systems started locking up. After receiving the payment, the ransomware operators provided a decryption tool to the company to restore its disabled computer network.

BlackMatter is also linked to REvil group, which used a zero-day bug in Kaseya's VSA remote management tool to encrypt about 60 managed service providers and over 1,500 of their small- and medium-sized business customers in a massive supply chain strike in the first week of July.

The gang, however, disappeared from the internet on 13 July - abandoning forums, disconnecting its servers, and shutting down its dark web presence. Experts said that the Russian government had forced the group to cease operations, to show the world that it was working with the US government.

After being offline for about two months, many of the dark-web servers belonging to the REvil resurfaced a few days back, sparking fears that the group was likely preparing for new attacks.

Security researchers said that the group's Happy Blog data leak site and the Tor payment/negotiation portal had suddenly returned to the dark web.

REvil's payment portal, where victims could negotiate with the group's operatives, has also resurfaced, although it doesn't appear to be fully functional yet.