BlackMatter Ransomware Hits Japanese Tech Giant Olympus

Japanese technology giant Olympus is currently investigating a cyber incident on its EMEA IT systems that happened earlier this month that sources said is the result of a BlackMatter ransomware attack.

The company detected “suspicious activity” on Sept. 8 and “immediately mobilized a specialized response team including forensics experts,” according to a press statement released over the weekend.

“As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners,” according to the statement. “We are currently working to determine the extent of the issue and will continue to provide updates as new information becomes available.”

Olympus, a multinational company with more than 31,600 employees worldwide, manufactures optical and digital reprography technology for the medical and life sciences industries. It was well known in the past as a pioneer in both analog and digital cameras, but sold off its struggling camera division in January.

It appears Olympus was the victim of the BlackMatter ransomware group, one of the cybercriminal organizations that’s risen to prominence after other purveyors of ransomware like DarkSide,  REvil and Ragnarok shut down operations, according to a report in TechCrunch.

Citing a person “familiar with the incident,” the attack began in the early morning of Sept. 8, with BlackMatter claiming responsibility in a ransom note left on infected computers, according to the report.

“Your network is encrypted, and not currently operational,” the note said, according to the report. “If you pay, we will provide you the programs for decryption.”

The group also included a web address to a site known to be used by BlackMatter to communicate with victims that’s accessible only through the Tor Browser, the report said.

Rising from the Ashes

BlackMatter operates as ransomware-as-a-service and rose from the ashes of DarkSide—a group perhaps best known for the takedown of Colonial Pipeline, which caused a major disruption in the oil and gas industry. In fact, some believe BlackMatter is merely a rebranding of the former ransomware gang than an entirely new group, said one security expert.

“The adversary behaviors and tactics, techniques, and procedures (TTPs) seem to be very similar for DarkSide and BlackMatter,” noted Jorge Orchilles, CTO of adversary-emulation security firm SCYTHE, in an email to Threatpost. “It can be suggested that the threat actor simply changed their name and took a little break to distance themselves from the Colonial Pipeline breach.”

REvil also had been laying low since a major supply-chain attack on Kaseya, but returned last week with its servers back online and a fresh victim listed on its site. A purported representative of the group also answered questions on an underground forum about why the REvil disappeared for a while and how its decryptor for the Kaseya attacks ended up online.

All of this recent activity is bad news for organizations who want to avoid being targeted for ransomware, which can cost organizations millions in remediation and fees back to unlock files, Orchilles noted.

“While it may seem we have had less ransomware attacks the past couple of months, we expect these types of double extorsion ransomware attacks to continue at full force the remainder of the year,” he said.

Indeed, the prospect of being hit by ransomware is something that keeps organizations “up at night,” noted Saryu Nayyar, CEO of risk analytics firm Gurucul.

Though it seemed that the threat was waning for a while, the attack on Olympus—reminiscent of the Colonial Pipeline attack—shows that it’s here to stay, which means companies need to shore up defenses, she said in an email to Threatpost.

“Until enterprises can completely protect their systems from attack, the only early warning available is to monitor network activity in detail to detect anomalous activity, and rapidly track it down to close any security holes,” Nayyar said. “IT teams and security professionals have to be constantly vigilant, but they also need the right tools for early detection and remediation.”

It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.