Technology giant Olympus hit with ransomware attack

Olympus, a medical technology manufacturing giant, has confirmed it has been the victim of a ransomware attack made by the BlackMatter ransomware-as-a-service group. The Japan-headquartered corporation manufactures optical and digital reprography technology used in the medical and science sectors. 

The cyber attack occurred on September 8th, with affected computers displaying a ransom note reading that “[their] network is encrypted, and not currently operational” as well as that if Olympus pays the ransom, “programs for decryption” will be provided. The ransom note included a web address that could only be accessed through the Onion Router (Tor) Browser, a typical medium used for BlackMatter to communicate with their victims. 

In a brief statement issued on Saturday, Olympus stated they were “currently working to determine the extent of the issue” that has affected its computer networks for European, the Middle East and Africa. The corporation further elaborated in another release on the same day that  “Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue” and that they had “suspended data transfers in the affected systems and have informed the relevant external partners” as part of the investigation. 

BlackMatter are seemingly successors to several threat groups, including the REvil and DarkSide. REvil is responsible for the Kaseya ransomware supply-chain attack that compromised hundreds of organisations, while DarkSide is infamous for the cyber attack on the US Colonial Pipeline. Both cyber attacks were very high-profile and got the attention of the US government, who threatened to take action if critical infrastructure was targeted again.  

DarkSide and REvil both went silent immediately after the attacks. While REvil has recently returned from their disappearing act as of last week, it appears DarkSide chose to rebrand as BlackMatter . As further evidence of the connection between BlackMatter and DarkSide in particular, Emsisoft, a New Zealand-based anti-virus software company, has discovered technical links and code overlaps between the two groups. 

How does BlackMatter work? 

BlackMatter, as a standard with ransomware-as-a-service groups, rents out access to their advanced, high-end ransomware to recruited affiliates in order to conduct cyber attacks. The group has previously posted ads on the dark web, using two cybercrime forums called Exploit[.]in, and XSS[.]is, looking for cybercriminals who have access to a potential victim’s network. On XSS[.]is, they also specified that the revenue of the target organization should be more than 100 million dollars and have 500-1500 hosts. 

If affiliates are successful in launching an attack and receiving the ransom payment,  BlackMatter takes a cut of the profits as well. With ransomware demands surging by 518 percent in 2021, there is a lot of money to be gained in this criminal enterprise, so much, in fact, affiliates are willing to make a deposit of 120,000 dollars to the ransomware-as-a-service group in order to participate in the scheme. 

Typically, Ransomware groups such as BlackMatter steal data from a company’s network prior to encrypting as a further pressuring technique to get companies to pay ransoms by threatening to publish sensitive data online if the ransom isn’t paid, however on the dark web site BlackMatter uses to advertise and publicise stolen data there isn’t, at the time of release, an entry for Olympus yet.  

Who are the victims of the ransomware? 

Ever since the new group appeared in June 2021, Emsisoft have managed to record over 40 ransomware attacks attributed to BlackMatter, although the real number is likely significantly higher. 

In regards to who are the BlackMatter’s chief targets, on their dark web homepage the group have claimed they won’t purposefully conduct cyber attacks at: 

• Hospitals 
• Critical infrastructure facilities, such as nuclear power plants, power plants and water treatment facilities. 
• Oil and gas industry, such as pipelines, oil refineries, etc. 
• Defence industry. 
• Non-profit companies. 
• Government sector. 

Details in the issue brief released by the U.S. Department of Health and Human Services’ (HHS) cybersecurity arm also include claims from BlackMatter representatives that if an organisation included in the list, such as a hospital or non-profit company, does suffer a cyber attack due their ransomware they can apparently request free decryption.  

Given these precursors, we can surmise that private organisations would be the chief target of BlackMatter, however Health Sector Cybersecurity Coordination Center (HC3) has cautioned that the health organisations may not be out of the woods yet as “these details are what BlackMatter claims to be, and may not be accurate.” With the ransomware attack on Olympus, this seems to prove true for medical technology suppliers to hospitals and other health organisations. 

Presumably, other companies who made the non-target list and may think they’re therefore safe are very likely not, as lying wouldn’t be the most serious crime BlackMatter has committed.