Olympus Investigating Potential BlackMatter Ransomware Attack

The technology firm Olympus is investigating a cybersecurity incident that has affected IT systems used in the EMEA region.  Olympus issued a statement confirming suspicious activity was detected in its computer network last week, and a specialized incident response team has been mobilized and a forensic investigation is underway. All data transfers from the impacted systems have been suspending and external partners have been notified. Olympus is currently attempting to determine the extent of the attack and assess the damage that has been caused. Olympus said the support, service, and security of customers remains its highest priority and has not been affected by the attack.

While few details have been released about the exact nature of the security incident due to the ongoing investigation, TechCrunch reports this as a suspected BlackMatter ransomware attack. An individual made contact with the site prior to the official announcement from Olympus claiming a ransom note had been left on computers affected by the attack which appeared to be from the BlackMatter ransomware gang. The web address provided in the ransomware note was independently confirmed as being associated with BlackMatter.

BlackMatter is a ransomware-as-a-service operation that first appeared in July 2021, shortly after the shutdown of the DarkMatter RaaS operation. Darkmatter went dark following its attack on Colonial Pipeline in the United States, which caused the shutdown of a major fuel pipeline to the eastern seaboard of the United States.

BlackMatter is thought to be the successor to DarkMatter and, according to Emsisoft which analyzed a sample of BlackMatter ransomware, shares similarities with both DarkMatter and REvil ransomware and uses the same encryption routine as DarkMatter. REvil also went quiet shortly after DarkMatter and following its attack on JBS Foods and Kaseya, although REvil has since reemerged.

Since July, BlackMatter has been used in more than 40 ransomware attacks globally, including attacks the United States, Chile, Brazil, India, and Thailand. Like most RaaS operations, the BlackMatter ransomware gang exfiltrates data from victims’ systems prior to file encryption and has operated a data leak site on the Tor Network since August 11, 2021. Exfiltrated data are uploaded to the leak site to pressure victims into paying the ransom.

In contrast to DarkMatter, BlackMatter said it will not conduct attacks on healthcare organizations, nonprofits, government agencies, defense contractors, or critical infrastructure firms. While Olympus is not an out and out healthcare equipment manufacturer, the technology giant does manufacture a wide range of equipment for the medical and life sciences industries.

The attack comes a few days after the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) issued a threat brief about BlackMatter ransomware warning the health and public health sector in the United States about an elevated risk of attack, despite the gang’s promise to provide a free decryptor to any entity that is attacked that is on its list of prohibited targets.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news