Ransomware-as-a-service pandemic must be interrupted, says Cambridge cybersecurity specialist Darktrace

Cybercrime has escalated to pandemic levels, with the latest victim being Japanese optical technology giant Olympus – and Cambridge cyberscurity specialist Darktrace has warned that “no organisation is immune”.

Cyberthreats were once the work of individuals, but this decade has seen a huge rise in sophisticated attacks sponsored or orchestrated by state actors. The attack on the former digital camera company, now a medical and life sciences tech giant, has shut down Olympus’ networks in Europe, Africa and the Middle East while it investigates the incident.

The ransomware attack was probably by the BlackMatter syndicate. BlackMatter could be a rebrand of REvil or DarkSide, which was responsible for the Colonial Pipeline ransomware attack in May. That hack – which took down the largest fuel pipeline in the US and led to shortages across the East Coast – was the result of a single compromised password, according to a cybersecurity consultant who investigated the crime.

Hackers gained entry into the networks of Colonial Pipeline Co. on April 29 through a VPN (virtual private network) account, which was used for employees to remotely access the company’s computer network, said Charles Carmakal, senior vice president at cybersecurity firm Mandiant, part of FireEye Inc. The account was not in use at the time of the attack but could still be used to access Colonial’s network, he said.

President Biden took note of the attack and said he was being regularly briefed. It seems that the publicity from the attack resulted in a lot of heat for the gang, which the FBI said it believed to be operated by a Russian cybercrime gang. It was disbanded after the Colonial Pipeline event – but it had already lifted more than $90m in Bitcoin from 47 of the companies it hacked. It is understood that 99 companies were hacked in total by DarkSide.

By June, BlackMatter was taking over where DarkSide left off. Since then, security specialist Emsisoft has recorded more than 40 separate attacks attributed to BlackMatter, but suggests that the total number of hits could be ‘significantly higher’. BlackMatter has so far targeted corporate entities with annual revenues of $100m-plus.

The hacks are enabled by the release of a single password into a system. It is not clear whether the passwords are released by an employee through negligence, or by accident, or by design.

“We are currently working with the highest priority to resolve this issue,” said Olympus in a statement. “As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners.”

Marcus Fowler, director of strategic threat at Cambridge-based cybersecurity specialist Darktrace, said: “The ransomware attack on Olympus continues the trend that no organisation, irrespective of size or industry, is immune from cyber-threats. The reality is that you can’t stop breaches – but you can prevent the disruption they cause. This is why organisations are increasingly turning to AI and ‘autonomous response’ technology that is capable of pinpointing anomalous, threatening activity in real time and interrupting the threat before it escalates to a full-blown attack.”

The latest attack suggests that the ransomware-as-a-service has become the dominant model for cyberthreats: effectively the developers of the malware outsource the actual hacking and infecting of a target to a non-technical criminal or criminals, and then split whatever ransom comes in with them.

Marcus Fowler, director of strategic threat at Darktrace, said: “The ransomware attack on Olympus continues the trend that no organisation, irrespective of size or industry, is immune from cyber-threats. The group responsible for the Olympus attack is assessed to be BlackMatter, a newer ransomware-as-a-service group. BlackMatter is said to be born out of DarkSide, the hacking group responsible for the Colonial Pipeline attack. In the aftermath of the Colonial attack, the Biden Administration’s designation of ransomware as a national security threat most likely resulted in the dissolution of DarkSide, and this may be a new trend of these hacking groups being more temporary to distract from a government focus on any one group. Over the long-term this could make it even more difficult for the intelligence community and law enforcement to target and dismantle these groups.

“The emergence of ransomware-as-a-service and double extortion ransomware has made this kind of cybercrime more efficient and profitable for cybercriminals. As ransomware attacks increase globally across industries, traditional approaches to cyber security are no longer good enough. Ransomware attacks move so rapidly across an organisation’s digital environment to disable systems and encrypt files that they outpace a human security team’s ability to respond.

“By the time organisations like Olympus have managed to detect and ‘mobilise a specialised response team’ – the damage has already been done. The reality is that you can’t stop breaches – but you can prevent the disruption they cause. This is why organisations are increasingly turning to AI and ‘autonomous response’ technology that is capable of pinpointing anomalous, threatening activity in real time and interrupting the threat before it escalates to a full-blown attack.”