Olympus made a brief statement on Sunday that it “is currently investigating a potential cybersecurity incident” affecting its computer network in Europe, the Middle East and Africa.
“As soon as suspicious activity was discovered, we immediately mobilized a specialized response team with forensics experts and are currently working on solving this problem as a top priority. As part of the investigation, we suspended the data transmission in the affected systems and informed the relevant external partners, ”said the Statement said.
However, according to one person with knowledge of the incident, Olympus is recovering from a ransomware attack that began early in the morning on September 8th. The person shared details of the incident before Olympus confirmed the incident on Sunday.
A ransom note left on infected computers is believed to be from the BlackMatter ransomware group. “Your network is encrypted and currently not operational,” they say. “If you pay, we’ll provide you with the decryption tools.” The ransom note also included a web address to a website that can only be accessed through the Tor browser, which BlackMatter is known to be used by BlackMatter to communicate with its victims communicate.
Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch that the site is linked to the BlackMatter group in the ransom note.
BlackMatter is a ransomware-as-a-service group that was formed as the successor to several ransomware groups, including DarkSide, which recently returned from the criminal world after the high-profile ransomware attack on Colonial Pipeline, and REvil, which fell silent months after the Kaseya attack Hundreds of businesses flooded with ransomware. Both attacks caught the attention of the US government, which promised to take action if critical infrastructure were hit again.
Groups like BlackMatter rent access to their infrastructure that partners use for attacks, while BlackMatter collects part of the ransom payments. Emsisoft also has technical links found and code overlap between Darkside and BlackMatter.
Since the group emerged in June, Emsisoft has recorded more than 40 ransomware attacks attributed to BlackMatter, but the total number of victims is likely to be significantly higher.
Ransomware groups like BlackMatter typically steal data off a company’s network before encrypting it and later threaten to publish the files online if the ransom for decrypting the files is not paid. Another BlackMatter-affiliated site that the group uses to post their victims and advertise stolen data had no listing for Olympus at the time of posting.
Headquartered in Japan, Olympus manufactures optical and digital reprographic technology for the medical and life sciences. Until recently the company was building digital cameras and other electronics until it sold his ailing camera division in January.
Olympus said it is “currently working to determine the extent of the problem and will continue to provide updates as new information becomes available”.
Christian Pott, a spokesman for Olympus, did not respond to emails and text messages asking for comments.