Some Reports Suggest BlackMatter Was Attacker
Olympus, a Japanese company that manufactures optics and reprography products, has reported that a portion of its IT system in the EMEA region was affected by a “potential cybersecurity incident” on Sept. 8.
“As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners,” the company says.
Olympus says it has mobilized a specialized response team, which includes forensics experts, to investigate the “suspicious activity,” but the company declined to offer additional details, such as the type of cyberattack, the identity of the cybercriminals and the extent of damage. It is unclear if the attack is ongoing or not.
While Olympus has not identified an attacker, some reports suggest it is the BlackMatter ransomware gang.
“We cannot give any information or statement due to the ongoing process of both internal and external investigation,” Christian Pott, a spokesperson for Olympus, tells ISMG.
He added: “The security, support and service of our customer has the highest priority and is not affected by this case.”
The company’s IT team, he says, is working closely with internal stakeholders as well as external cybersecurity experts to determine the extent of the attack. “Other information and updates related to the security incident will be released soon,” he adds.
Clues to BlackMatter Involvement
Emsisoft threat analyst Brett Callow, in an email to ISMG, confirmed that a claimed ransom note obtained by digital publication TechCrunch matches a Tor-accessible site address, known to be used by BlackMatter operators to communicate with its victims.
TechCrunch, citing an anonymous source, had claimed that ransomware group BlackMatter is the primary suspect in the Olympus incident. The group, it says, left a ransom note saying: “Your network is encrypted, and not currently operational. If you pay, we will provide you the programs for decryption.”
Details such as the amount of ransom sought and the reportedly encrypted data could not be immediately ascertained.
On July 27, cybersecurity firm Flashpoint said that BlackMatter “posted a notice on the forums, stating they are looking to purchase access to infected corporate networks in the U.S., Canada, Australia and the U.K. with more than $100 million in annual revenue, presumably for ransomware operations.”
Based on this information, Olympus is likely a BlackMatter target, says TechCrunch, citing Emsisoft CTO Fabian Wosar.
BlackMatter is believed to be a spinoff of the DarkSide, REvil and LockBit ransomware groups, adopting their “best features” (see: BlackMatter Ransomware Claims to Be Best of REvil, DarkSide).
BlackMatter first appeared on cybercrime forums XSS and Exploit on July 19, offering ransomware as a service, news platform The Record reported. It runs an affiliate-based model – similar to DarkSide’s – in which it takes 30% of the total ransom cut from its affiliates for the service provided.
The BlackMatter ransomware group has also created a Linux version of its malware to target VMware’s ESXi servers hosting virtual machines, according to security researchers at MalwareHunterTeam (see: BlackMatter Group Debuts Linux-Targeting Ransomware).