Olympus US hack tied to sanctioned Russian ransomware group

An “ongoing” cyberattack against the Japanese technology giant Olympus was caused by a Russian ransomware group sanctioned by the U.S. government, according to two people with knowledge of the incident.

A new malware variant known as Macaw was used in the attack that began on October 10, which encrypted Olympus’ systems in the U.S., Canada and Latin America. Macaw is a variant of the WastedLocker malware, both of which were created by Evil Corp., a Russia-based crime group that was subject to U.S. Treasury sanctions in 2019.

It’s the second ransomware attack to hit the company in as many months, after its networks in Europe, the Middle East and Africa were knocked offline by the BlackMatter ransomware group in September. (BlackMatter and Evil Corp. are not known to be linked.)

“Olympus was hit by BlackMatter last month and then hit by Macaw a week or so ago,” Allan Liska, a senior threat analyst at security firm Recorded Future, told TechCrunch. Liska said that the Macaw malware leaves behind a ransom note on hacked computers that claims to have stolen data from its victims.

Olympus said in a statement on Tuesday that the company was investigating the “likelihood of data exfiltration,” a common technique by ransomware groups known as “double extortion,” where the hackers steal files before encrypting the victim’s network and threaten to publish the files online if the ransom to decrypt the files is not paid.

When reached on Wednesday, Olympus spokesperson Jennifer Bannan declined to answer our questions or say if the company paid the ransom.

“In the best interests of the security of our system, our customers and their patients, we will not comment on criminal actors and their actions, if any. We are committed to providing appropriate notifications to impacted stakeholders,” the company said in a statement.

Treasury sanctions make it more difficult for companies based or operating in the United States to pay a ransom to get their files back, since U.S. nationals are “generally prohibited” from transacting with sanctioned entities. Evil Corp. has renamed and modified its malware several times to circumvent U.S. sanctions.

Bloomberg reported Wednesday that the Macaw malware was also used to cause widespread disruption last week at Sinclair Broadcast Group, which owns or operates 185 television stations across more than 80 markets. Sinclair said in a statement on Monday that while some data was stolen from Sinclair’s network, it wasn’t clear exactly what information was taken.

Evil Corp. also launched attacks at Garmin, which caused a nearly week-long outage after a ransomware attack in 2020, as well as insurance giant CNA.