Olympus US Hack: Linked to Russian Ransomware Group

Olympus Cyberattack Linked to Sanctioned Russian Group

A sustained cyberattack targeting the Japanese technology firm Olympus has been attributed to a Russian ransomware group previously sanctioned by the U.S. government, as confirmed by sources familiar with the investigation.

Details of the Attack

The attack, which commenced on October 10th, utilized a novel malware strain identified as Macaw. This malicious software encrypted Olympus’ systems across operations in the United States, Canada, and Latin America.

Macaw is recognized as a derivative of WastedLocker, with both being products of Evil Corp., a Russia-based cybercrime organization subjected to U.S. Treasury sanctions in 2019.

Recent Incidents and Previous Attacks

This marks the second ransomware incident impacting Olympus within a two-month period. In September, the company’s networks in Europe, the Middle East, and Africa were compromised by the BlackMatter ransomware group. It is important to note that BlackMatter and Evil Corp. are currently not believed to be affiliated.

Allan Liska, a senior threat analyst at Recorded Future, stated to TechCrunch that the Macaw malware deposits a ransom note on compromised systems, asserting data theft from victims.

Data Exfiltration Concerns

Olympus acknowledged in a recent statement that it is investigating the possibility of data exfiltration. This tactic, known as “double extortion,” is frequently employed by ransomware groups.

It involves stealing sensitive files prior to encryption, with the threat of public release if ransom demands are not met.

Company Response and U.S. Sanctions

When contacted for comment, Olympus spokesperson Jennifer Bannan refrained from answering specific questions or confirming whether a ransom had been paid.

The company issued a statement emphasizing its commitment to protecting its systems, customers, and patients, and declining to discuss criminal actors or their actions. They also pledged to notify affected parties appropriately.

U.S. Treasury sanctions complicate ransom payments for companies operating within the United States. These sanctions generally prohibit transactions with designated entities like Evil Corp.

Evil Corp. has a history of rebranding and modifying its malware to evade these U.S. sanctions.

Wider Impact: Sinclair Broadcast Group

Reports from Bloomberg indicate that the Macaw malware was also responsible for significant disruptions last week at Sinclair Broadcast Group, a company owning or operating 185 television stations across over 80 markets.

Sinclair confirmed that data was stolen from its network, though the specific nature of the compromised information remains unclear.

Previous Evil Corp. Targets

Evil Corp. has been linked to prior high-profile attacks, including those targeting Garmin, which experienced a near week-long outage following a 2020 ransomware attack, and the insurance company CNA.

These incidents demonstrate the group’s continued activity and evolving tactics in the realm of cybercrime.