Olympus Suffers another Cyberattack

The Japanese tech giant, Olympus, announced that its IT systems in the US, Canada, and Latin America had suffered a cybersecurity incident. Details of the attack are thin on the ground, but the attack follows another incident that occurred in September 2021. The first attack was announced on September 11, which according to the company affected the IT systems for Europe, the MIddle-East, and Africa. Again details of the attack were sparse but according to Bleeping Computer, the attack involved the now-infamous BlackMatter ransomware.

This was supported by an article published by TechCrunch where a sample of the ransom note was seen and ransomware experts confirmed it was likely linked to the ransomware.

olympus suffers another cyberattack

After articles were published linking the attack to BlackMatter Olympus issued another statement saying,

“We can confirm that the incident on September 8, 2021, was an attempted malware attack affecting parts of our sales and manufacturing networks in EMEA (Europe, Middle East, and Africa). [..] We have reported the incident to the relevant government authorities. According to the results of the investigation so far, no evidence of loss, unauthorized use, or disclosure of our data has been detected. There is also no evidence that the cybersecurity incident affected any systems outside of the EMEA region.”

Olympus has been awfully trite with information regarding both attacks being released to the public. At the time of writing, there is no information currently available to the public that suggests the two attacks are linked.

Companies statement regarding the first incident,

“Olympus is currently investigating a potential cybersecurity incident detected October 10, 2021 that is affecting its Americas (U.S., Canada and Latin America) IT systems...Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation and containment, we have suspended affected systems and have informed the relevant external partners. The current results of our investigation indicate the incident was contained to the Americas with no known impact to other regions...We are working with appropriate third parties on this situation and will continue to take all necessary measures to serve our customers and business partners in a secure way. Protecting our customers and partners and maintaining their trust in us is our highest priority.”

However, falling victim to two attacks in the space of a couple of months does little to inspire confidence, and questions will be raised as to the companies cybersecurity infrastructure. For those behind the BlackMatter ransomware strain, it has been a busy and productive few months much to the horror of several organizations.

BlackMatter’s Victim List Grows

Other than Olympus, DarkSide the threat group strongly believed to be behind BlackMatter, has added several high profile victims to an ever-growing list of those who have fallen victim to the ransomware.

On September 20, 2021, news articles began emerging that New Cooperative, an Iowa-based farm services company, had suffered a cyber incident. The BlackMatter leak site, a website typically on the Dark Web used by ransomware operators to announce new victims and when data that was stolen will be leaked, announced that New Cooperative was its latest victim.

Ransomware operators claimed that they had stolen over 1,000 GB worth of data and the deadline to receive the ransom was September 25. It was also confirmed via several experts that the ransomware group was demanding nearly 6 million USD to decrypt files and not release the stolen data.

IN attempting not to have to pay the ransom, leaked chats showed that representatives of the company believed the company formed part of the “16 critical sectors" that US President Joe Biden said was off-limits to ransomware actors in conversations with Russian President Vladimir Putin. Further, the leaked chats suggested that BlackMatter operators would not back down and continued to demand payment of the ransom.

Information regarding the second high-profile attack involving BlackMatter came one day after news of the New Cooperative incident broke. This time the victim was Marketron, a business software solutions provider that serves more than 6,000 customers in the media industry. Marketron provides cloud-based revenue and traffic management tools for broadcast and media organizations.

It specializes in revenue management and audience engagement, handling advertising revenue of approximately 5 billion USD every year. In an email sent out to employees of the company, company CEO, Jim Howard, admitted that they had suffered an attack by operators deploying BlackMatter. The ransomware infection had successfully managed to take down all services offered by the company.

Other companies who have fallen victim to BlackMatter, according to Bleeping Computer, include:

  • a wine and spirits company
  • an investment banking services provider in the U.S.
  • a vendor of citrus juicing equipment in Austria
  • a maker of drilling and foundation equipment in Italy
  • Japanese technology giant Olympus
  • a US-based construction company
  • a unified communications company in the UK

Never too Late

According to an article published by ZDNet, it might not be too late to defend against a ransomware attack even if they have already compromised your network. This does mean that the organization has to have better than average threat hunting capabilities, that allow security staff to find suspicious activity and prevent said activity from turning into a huge problem.

Given that the modern trend of human-operated ransomware gangs can spend weeks on a network before encrypting data, there is still a chance they can be detected before lasting damage is done. This does require security staff to have a thorough knowledge of possible attack routines used by hackers. These can involve installing specific types of malware to help increase the level of access granted to the attacker, or the use of favored vulnerabilities to compromise the network.

Being able to find out if cybercriminals have compromised the network can play a major role in actually preventing an incident from taking place, or at least ensuring that the impact is reduced to hopefully a bare minimum.

Keeping a ransomware attack restricted to one part of the network is still better than letting it spread around the entire enterprise environment, this also highlights the importance of segmenting the network so that the entire network is not exposed. It can also help cybersecurity teams learn to prevent additional attacks in the future. Amelia Estwick, director of threat research at VMware, speaking to ZDNet, noted,

“It's so important to have threat-hunting capabilities on the team – if you don't have that in your organization, partner up within the ecosystem – because threat hunting really helps to identify those activities...We already know they're in there, so let's figure out how to batten down the hatches and how they are moving throughout the system, so we can learn to better provide and develop tools to detect and prevent this from occurring again,”

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal