Olympus Hit by BlackMatter Ransomware

Olympus Investigates Potential Cybersecurity Incident

Olympus has released a statement confirming that it is presently investigating a possible cybersecurity breach impacting its computer network across Europe, the Middle East, and Africa.

The company indicated that, following the identification of questionable activity, a dedicated response team—inclusive of forensic specialists—was promptly activated. Efforts are being prioritized to resolve the situation. As a component of this investigation, data transmission within the impacted systems has been temporarily halted, and relevant external stakeholders have been notified.

Ransomware Attack Confirmed

Sources familiar with the situation reveal that Olympus is in the process of recovering from a ransomware attack which commenced in the early hours of September 8th. Details regarding the incident were shared before Olympus publicly acknowledged the event on Saturday.

A ransom note discovered on compromised computers attributes the attack to the BlackMatter ransomware group. The message states that the network has been encrypted and is currently inoperable. It offers decryption programs in exchange for payment.

The note also provided a web address, accessible only via the Tor Browser, which is known to be utilized by BlackMatter for communication with victims.

BlackMatter Ransomware Group

Brett Callow, a ransomware expert and threat analyst at Emsisoft, confirmed to TechCrunch that the website referenced in the ransom note is linked to the BlackMatter group.

BlackMatter operates as a ransomware-as-a-service organization, emerging as a successor to several other groups, including DarkSide and REvil.

DarkSide gained notoriety following a significant ransomware attack on Colonial Pipeline, while REvil became inactive for a period after the Kaseya attack affected numerous companies. Both incidents attracted scrutiny from the U.S. government, which pledged action against future attacks on critical infrastructure.

REvil has since reappeared, but has not yet claimed responsibility for additional attacks.

How BlackMatter Operates

Groups like BlackMatter provide access to their infrastructure to affiliates, who then execute attacks. BlackMatter receives a percentage of any ransom payments made. Emsisoft has identified technical connections and code similarities between DarkSide and BlackMatter.

Since its emergence in June, Emsisoft has documented over 40 ransomware attacks attributed to BlackMatter, though the actual number of victims is likely much higher.

Typically, ransomware groups such as BlackMatter will exfiltrate data from a company’s network prior to encryption, subsequently threatening to publish the stolen files online if the ransom is not paid.

As of the time of publication, Olympus was not listed on another website associated with BlackMatter, which the group uses to showcase its victims and advertise stolen data.

Olympus Background

Olympus, headquartered in Japan, specializes in the production of optical and digital reprography technologies for the medical and life sciences sectors.

The company previously manufactured digital cameras and other consumer electronics, but divested its camera division in January.

Olympus stated it is “currently working to determine the extent of the issue and will continue to provide updates as new information becomes available.”

Christian Pott, a spokesperson for Olympus, confirmed that customer service operations remain unaffected, but declined to provide further commentary.