Japanese tech-giant Konica Minolta was recently hit by a newly discovered form of ransomware impacting its services and products.

Headquartered in Tokyo, Konica Minolta is a multinational technology company employing around 44,000 employees, with recorded revenues of $9 billion last year. The technology giant currently delivers an extensive range of products and services that includes technology for the healthcare sector and solutions for printing. It also provides managed information technology services for enterprises.

Konica Minolta customers encounter an outage

Reports arrived on July 30 from customers stating that Konica Minolta’s dedicated site, offering both support and supply of its products, was unable to be accessed. A message was posted on the website, commenting on the outage, and it informed its users:

“The Konica Minolta MyKMBS customer portal is temporarily unavailable. We are working hard to resolve the issue and apologise for any inconvenience this may have caused you. If you need immediate assistance for service, please call our Global Customer Services at 1-800-456-5664 (US) or 1-800-263-4410 (Canada).”

Konica Minolta’s portal experienced downtime for close to a week, with the tech firm’s customers commenting that they had been unable to acquire a direct answer explaining the cause of the outage. Konica Minolta equipment, including its printers, then began displaying error messages to users, announcing that service notifications had failed. To assist with this issue, the company updated its customer message, including a link to a supporting document.

Ransom note revealed

Following reports from customers that those contacted at Konica Minolta has suggested the site outage was related to a breach, computer help site BleepingComputer attempted to contact the firm, before putting out a call for any information associated with the incident.
Not long after issuing its request, BleepingComputer received a shared version of the ransom note used in the malicious attack on Konica Minolta. In the form of a text file, the note was clearly marked for the company’s attention:

“!!KONICA_MINOLTA_README!!”

After further investigation, BleepingComputer uncovered that the company’s devices had been encrypted and it identified the extension appended to files coded by the ransomware.

The note used to demand payment from Konica Minolta is connected to a recent form of ransomware known as RansomEXX. This malicious software was identified back in June, after it was used as part of an attack in the US on the Department of Transport for the State of Texas.

As with multiple other types of ransomware that target enterprises and institutions, RansomEXX requires human operation. This involves threat actors penetrating a chosen network and infiltrating its systems and devices over an extended period of time until they successfully obtain administrator level credentials.

Once these authorisation rights have been acquired, the threat actors can then deploy the RansomEXX onto the network and comprehensively encrypt all its associated devices.

Information currently available on RansomEXX would suggest that the malware does not steal company data before it encrypts devices, although it may be updated to execute this additional task in the future.