The Japanese tech giant, Olympus, announced that its IT systems in the US, Canada, and Latin America had suffered a cybersecurity incident. Details of the attack are thin on the ground, but the attack follows another incident that occurred in September 2021. The first attack was announced on September 11, which according to the company affected the IT systems for Europe, the MIddle-East, and Africa. Again details of the attack were sparse but according to Bleeping Computer, the attack involved the now-infamous BlackMatter ransomware.
This was supported by an article published by TechCrunch where a sample of the ransom note was seen and ransomware experts confirmed it was likely linked to the ransomware.
After articles were published linking the attack to BlackMatter Olympus issued another statement saying,
“We can confirm that the incident on September 8, 2021, was an attempted malware attack affecting parts of our sales and manufacturing networks in EMEA (Europe, Middle East, and Africa). [..] We have reported the incident to the relevant government authorities. According to the results of the investigation so far, no evidence of loss, unauthorized use, or disclosure of our data has been detected. There is also no evidence that the cybersecurity incident affected any systems outside of the EMEA region.”
Olympus has been awfully trite with information regarding both attacks being released to the public. At the time of writing, there is no information currently available to the public that suggests the two attacks are linked.
Companies statement regarding the first incident,
“Olympus is currently investigating a potential cybersecurity incident detected October 10, 2021 that is affecting its Americas (U.S., Canada and Latin America) IT systems...Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation and containment, we have suspended affected systems and have informed the relevant external partners. The current results of our investigation indicate the incident was contained to the Americas with no known impact to other regions...We are working with appropriate third parties on this situation and will continue to take all necessary measures to serve our customers and business partners in a secure way. Protecting our customers and partners and maintaining their trust in us is our highest priority.”
However, falling victim to two attacks in the space of a couple of months does little to inspire confidence, and questions will be raised as to the companies cybersecurity infrastructure. For those behind the BlackMatter ransomware strain, it has been a busy and productive few months much to the horror of several organizations.
BlackMatter’s Victim List Grows
Other than Olympus, DarkSide the threat group strongly believed to be behind BlackMatter, has added several high profile victims to an ever-growing list of those who have fallen victim to the ransomware.
On September 20, 2021, news articles began emerging that New Cooperative, an Iowa-based farm services company, had suffered a cyber incident. The BlackMatter leak site, a website typically on the Dark Web used by ransomware operators to announce new victims and when data that was stolen will be leaked, announced that New Cooperative was its latest victim.
Ransomware operators claimed that they had stolen over 1,000 GB worth of data and the deadline to receive the ransom was September 25. It was also confirmed via several experts that the ransomware group was demanding nearly 6 million USD to decrypt files and not release the stolen data.
IN attempting not to have to pay the ransom, leaked chats showed that representatives of the company believed the company formed part of the “16 critical sectors" that US President Joe Biden said was off-limits to ransomware actors in conversations with Russian President Vladimir Putin. Further, the leaked chats suggested that BlackMatter operators would not back down and continued to demand payment of the ransom.
Information regarding the second high-profile attack involving BlackMatter came one day after news of the New Cooperative incident broke. This time the victim was Marketron, a business software solutions provider that serves more than 6,000 customers in the media industry. Marketron provides cloud-based revenue and traffic management tools for broadcast and media organizations.
It specializes in revenue management and audience engagement, handling advertising revenue of approximately 5 billion USD every year. In an email sent out to employees of the company, company CEO, Jim Howard, admitted that they had suffered an attack by operators deploying BlackMatter. The ransomware infection had successfully managed to take down all services offered by the company.
Other companies who have fallen victim to BlackMatter, according to Bleeping Computer, include:
- a wine and spirits company
- an investment banking services provider in the U.S.
- a vendor of citrus juicing equipment in Austria
- a maker of drilling and foundation equipment in Italy
- Japanese technology giant Olympus
- a US-based construction company
- a unified communications company in the UK
Never too Late
According to an article published by ZDNet, it might not be too late to defend against a ransomware attack even if they have already compromised your network. This does mean that the organization has to have better than average threat hunting capabilities, that allow security staff to find suspicious activity and prevent said activity from turning into a huge problem.
Given that the modern trend of human-operated ransomware gangs can spend weeks on a network before encrypting data, there is still a chance they can be detected before lasting damage is done. This does require security staff to have a thorough knowledge of possible attack routines used by hackers. These can involve installing specific types of malware to help increase the level of access granted to the attacker, or the use of favored vulnerabilities to compromise the network.
Being able to find out if cybercriminals have compromised the network can play a major role in actually preventing an incident from taking place, or at least ensuring that the impact is reduced to hopefully a bare minimum.
Keeping a ransomware attack restricted to one part of the network is still better than letting it spread around the entire enterprise environment, this also highlights the importance of segmenting the network so that the entire network is not exposed. It can also help cybersecurity teams learn to prevent additional attacks in the future. Amelia Estwick, director of threat research at VMware, speaking to ZDNet, noted,
“It's so important to have threat-hunting capabilities on the team – if you don't have that in your organization, partner up within the ecosystem – because threat hunting really helps to identify those activities...We already know they're in there, so let's figure out how to batten down the hatches and how they are moving throughout the system, so we can learn to better provide and develop tools to detect and prevent this from occurring again,”