Olympus said in a brief statement on Sunday that it “is currently investigating a potential cybersecurity incident” affecting its computer network in Europe, the Middle East and Africa.
“Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensic experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation, we suspended data transfers in the affected systems and informed the affected external partners ”, statement says.
But according to a person familiar with the incident, Olympus is recovering from a ransomware attack that began in the early morning of September 8. The person shared details of the incident before Olympus acknowledged the incident on Sunday.
A ransom note left on infected computers claimed to belong to the BlackMatter ransomware group. “Your network is encrypted and is not currently operational”, we can read. “If you pay, we’ll provide you with the decryption programs. The ransom note also included a web address to a site accessible only through the Tor browser which is known to be used by BlackMatter to communicate with its victims.
Brett Callow, ransomware expert and threat analyst at Emsisoft, told TechCrunch that the ransom note site is associated with the BlackMatter group.
BlackMatter is a ransomware-as-a-service group that was founded as a successor to several ransomware groups, including DarkSide, which recently rebounded from the criminal world after the high-profile ransomware attack on Colonial Pipeline, and REvil , who went silent for months after Kaseya attack flooded hundreds of companies with ransomware. Both attacks caught the attention of the US government, which promised to take action if critical infrastructure was hit again.
Groups like BlackMatter lease access to their infrastructure, which affiliates use to launch attacks, while BlackMatter takes a share of the ransoms paid. Emsisoft also has found technical links and code overlaps between Darkside and BlackMatter.
Since the group emerged in June, Emsisoft has recorded more than 40 ransomware attacks attributed to BlackMatter, but the total number of victims is likely to be significantly higher.
Ransomware groups like BlackMatter typically steal data from a company’s network before encrypting it and then later. threaten to post the files online if the ransom to decrypt the files is not paid. Another site associated with BlackMatter, which the group uses to publicize its victims and stolen data, did not have an entry for Olympus at the time of publication.
Olympus, headquartered in Japan, manufactures optical and digital reprographic technologies for the medical and life science industries. Until recently, the company manufactured digital cameras and other electronic devices until it sold its struggling camera division in January.
Olympus said it “is currently working to determine the extent of the problem and will continue to provide updates as new information becomes available.”
Olympus spokesperson Christian Pott did not respond to emails and texts asking for comment.