Skip links

Ex-camera biz Olympus investigating ‘suspicious’ network activity again a month after ransomware hit

Olympus, the Japanese company once known for making cameras, is investigating “suspicious” activity on its networks again – a month after those same networks were ravaged by ransomware.

In a statement issued last night the company said it had “mobilized a specialized response team including forensics experts” in response to a “cybersecurity incident” that was affecting its IT networks across North and South America.

The attack began on 10 October. Affected systems are said to have been “suspended” and affected customers and suppliers informed, said Olympus.

“Protecting our customers and maintaining their trust in us is our highest priority,” added the company, which sold its iconic camera business last year. These days it concentrates on medical and scientific optics.

The original ransomware attack in September saw Olympus targeted by the BlackMatter ransomware-as-a-service gang, as reported elsewhere. The Japanese company said last month it was mobilising “a specialised response team including forensics experts,” raising suspicions that the latest incident is another ransomware attack.

BlackMatter is a rebrand of the Darkside ransomware gang who shot to global notoriety after causing the shutdown of the US Colonial Pipeline during May, a major petrochemical conduit for America’s east coast. Amid mounting rage from the US and hints that a major reaction from law enforcement was in the pipeline, Darkside claimed it was shutting up shop – only to give the lie to that promise by targeting a school in Doncaster one day later.

Publicity is good except when we don’t control it

Ransomware attacks are still prevalent across all sectors of society, though reporting of them has subsided a little in recent months.

A recent rant posted on a Tor-hosted blog by one gang, Conti, promised victims that stolen data would be dumped online for all to see if they spoke to the media – while, of course, reserving the right for the criminals to talk to “respected journalist and researcher personalities” [sic] and brag about their crimes. Some excitable infosec bloggers, and even proper news outlets, have confused contextualised news reporting with the glorification of criminality.

Referring to one recent extortion they carried out, the Conti crims wrote: “However, since the publication [of news about it] happened in the middle of negotiations it resulted in our decision to terminate the negotiations and publish the data.”

They added: “If we see a clear indication of our negotiations being sent to the media we will terminate the negotiations and dump all the files on our blog… if we see our chats in public we will also dump your files.”

This presents a challenge to some “respected journalist and media personalities” who would log into ongoing ransomware negotiation chats using credentials published by the extortionists for their victims to use, copy the contents and publish them for all to read – inadvertently (one would hope) applying extra pressure to victims at their lowest moments.

Anti-ransomware firm Emsisoft researcher Brett Callow mused to The Register: “There’s a difference between the crims disclosing information that it makes sense for them to disclose and security companies and law enforcement getting information which could put a dent in [ransomware gangs’] bottom line. Simple example: some operators will immediately accept a low counter offer. They don’t, however, supply a decryptor when the agreed ransom is paid. At this point, they know the company needs that encrypted data, so revert to the initial higher demand.”

He added: “This is especially true of crims that use pay-once-use-forever off-the-shelf ransomware. They don’t need to look after their reputation, so can do whatever the hell they want.” ®