BlackMatter attack on Olympus shows troubling rise of ransomware-as-a-service

Olympus says its EMEA IT network has been hit by "suspicious activity", and a ransom demand was left behind.
13 September 2021

Olympus says its EMEA IT network has been hit by “suspicious activity”, with a ransom note left on devices claiming to be from the BlackMatter ransomware group. Source: Shutterstock

Japanese tech hardware firm Olympus is recovering from a ransomware attack that began in the early hours of September 8 morning, and is being credited to the ransomware-as-a-service group, BlackMatter.

Olympus released a brief statement that stated it is “currently investigating a potential cybersecurity incident” affecting its European, Middle Eastern, and African computer network. “Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners,” the statement reads.

But according to sources with knowledge of the threat incident, details were shared of the attack that included a ransom note even prior to Olympus acknowledging it.  “Your network is encrypted, and not currently operational,” the ransom notice allegedly states. “If you pay, we will provide you the programs for decryption.”

The ransom alert further pointed to a web address to a site accessible only through the Tor Browser, which is known to be used by the BlackMatter group to collect ransoms from its victims.

This latest incident illustrates how attacks of a certain scale are still being organized by ransomware-as-a-service groups like BlackMatter, itself an offshoot of ransomware gangs such as DarkSide, which orchestrated the high-profile attack on Colonial Pipeline, and REvil, which was behind the Kaseya attack that affected hundreds of companies and disappeared shortly thereafter.

Rise of ransomware-as-a-service

Both the Colonial and Kaseya attacks demanded ransoms in return for decryption software to unlock affected critical infrastructure, drawing the attention of US federal government and placing ransomware attacks squarely back in the spotlight.

But why are groups like BlackMatter, which emerged in June and has thus far been implicated in over 40 ransomware incidents, considered as ransomware-as-a-service groups? While they are just like traditional ransomware perpetrators in that they typically invade a system and encrypt data before demanding payment, major groups like BlackMatter rent access on infrastructure from which their affiliates launch attacks.

When ransoms get paid out, BlackMatter takes a cut from it in exchange for letting out its infrastructure. Ransomware threat experts Emsisoft also uncovered code overlaps and other technical links that tie BlackMatter with its prolific predecessor DarkSide.

Former camera equipment manufacturer Olympus sold its flagging camera division early this year, and now focuses on optical and digital reprography technology for the medical and life sciences fields. The company said it was “currently working to determine the extent of the issue and will continue to provide updates as new information becomes available.”

At the time of writing, a site that the BlackMatter group likes to use to out its victims data, had yet to reflect an entry for Olympus.