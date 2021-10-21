



An “ongoing” cyberattack against Japanese tech giant Olympus was caused by a Russian ransomware group sanctioned by the US government, according to two people with knowledge of the incident.

A new variant of malware known as Macaw was used in the attack that began on October 10, which encrypted Olympus systems in the United States, Canada and Latin America. Macaw is a variant of the WastedLocker malware, both created by Evil Corp., a Russia-based criminal group that faced US Treasury sanctions in 2019.

It is the second ransomware attack to hit the company in as many months, after its networks in Europe, the Middle East and Africa were taken offline by ransomware group BlackMatter in September. (BlackMatter and Evil Corp. are not known to be related.)

“Olympus was hit by BlackMatter last month and then Macaw about a week ago,” Allan Liska, senior threat analyst at security firm Recorded Future, told TechCrunch. Liska said that the Macaw malware leaves behind a ransom note on hacked computers that claims to have stolen data from its victims.

Olympus said in a statement Tuesday that the company is investigating the “likelihood of data exfiltration,” a common technique used by ransomware groups known as “double extortion,” where hackers steal files before encrypting it. victim’s network and threaten to post the files online. if the ransom to decrypt the files is not paid.

Contacted on Wednesday, Olympus spokeswoman Jennifer Bannan declined to answer our questions or say whether the company had paid the ransom.

“In the best interests of the safety of our system, our customers and their patients, we will not comment on criminal actors and their actions, if any. We are committed to providing appropriate notifications to relevant stakeholders, ”the company said in a statement.

Treasury sanctions make it more difficult for companies based or operating in the United States to pay a ransom to recover their files because it is “generally prohibited” for United States citizens to deal with sanctioned entities. Evil Corp. has renamed and modified its malware several times to circumvent US sanctions.

Bloomberg reported on Wednesday that the Macaw malware was also used to cause widespread disruption last week at Sinclair Broadcast Group, which owns or operates 185 TV stations in more than 80 markets. Sinclair said in a statement Monday that although some data was stolen from Sinclair’s network, it was not clear exactly what information was taken.

Evil Corp. also launched attacks against Garmin, which caused an outage for nearly a week after a ransomware attack in 2020, as well as against insurance giant CNA.

