KADOKAWA Corporation Hit by Major Blacksuit Ransomware Attack

Incident Date: Jun 27, 2024

Attack Overview

VICTIM

KADOKAWA Corporation

INDUSTRY

Media & Internet

LOCATION

Japan

ATTACKER

Black Suit

FIRST REPORTED

June 27, 2024

Request Removal

KADOKAWA Corporation Hit by Blacksuit Ransomware Attack

Overview of KADOKAWA Corporation

KADOKAWA Corporation is a prominent Japanese media conglomerate headquartered in Tokyo. The company operates across various sectors of the entertainment and publishing industries, including the production and distribution of books, magazines, films, anime, and video games. KADOKAWA is known for its significant influence in the Japanese pop culture landscape, with a diverse portfolio catering to different market segments.

One of KADOKAWA's core activities is publishing, particularly renowned for its light novels, which often serve as source material for anime adaptations. The company is also heavily involved in the anime industry, producing and distributing anime series and films. Additionally, KADOKAWA has a significant presence in the film industry, producing live-action films that appeal to both domestic and international audiences. The video game sector is another important area for KADOKAWA, developing and publishing games across various platforms. Furthermore, KADOKAWA operates several online platforms and services that distribute digital versions of its media content.

Details of the Ransomware Attack

On June 8, 2024, KADOKAWA Corporation experienced a significant system failure due to a ransomware attack by the Blacksuit group. This cyberattack caused multiple KADOKAWA Group websites, including their main global portal site, to become inaccessible. The attack has raised considerable concern among stakeholders, including readers, users, writers, creators, business partners, shareholders, and investors.

The compromised data includes personal details of students, graduates, and their parents from N Progressive School and N/S High Schools, contracts with creators and businesses associated with DWANGO Co., Ltd., and personal information of creators using DWANGO’s music monetization services. Additionally, personal information of all DWANGO employees and some affiliated company employees, as well as internal documents, have been affected. The attack primarily targeted DWANGO’s dedicated file server, with no evidence of an attack on systems storing information of authors, creators, and customers of KADOKAWA CORPORATION. However, personal information of some authors and creators who had direct dealings with DWANGO was leaked.

KADOKAWA has assured that customer credit card information, including that of Niconico service users, was not stored and thus not leaked. The company expects to receive accurate information from external investigations by July and will report these findings once confirmed. KADOKAWA has issued a heartfelt apology to all affected parties for the distress and inconvenience caused by this incident.

About the Blacksuit Ransomware Group

Blacksuit is a new ransomware family that emerged in 2023 and appears to be closely related to the notorious Royal ransomware group. The ransomware targets both Windows and Linux systems, including VMware ESXi servers. It appends the .blacksuit extension to encrypted files and drops a ransom note named README.BlackSuit.txt in each affected directory, which includes a reference to a Tor chat site where victims can contact the operators.

Researchers have found significant similarities between the code and functionality of Blacksuit and Royal ransomware, suggesting that Blacksuit is either a new variant developed by the same authors as Royal, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented some modifications. The emergence of Blacksuit indicates that the threat actors behind Royal may have inspired other cybercriminals to develop similar ransomware families, or it could have originated from a splinter group within the original Royal ransomware gang.

Potential Vulnerabilities and Penetration Methods

Given KADOKAWA Corporation's extensive digital operations and the sensitive nature of the data it handles, the company is a prime target for ransomware attacks. The attack on KADOKAWA primarily targeted DWANGO’s dedicated file server, suggesting that the ransomware group may have exploited vulnerabilities in the server's security protocols. The exact method of penetration remains under investigation, but common vectors include phishing emails, exploiting unpatched software vulnerabilities, and leveraging weak or compromised credentials.

Sources

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started

First Name

Last Name

Phone Number

Buying Timeframe

halcyon.ai is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

I agree to receive other communications from halcyon.ai and acknowledge Halcyon's privacy policy.

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow halcyon.ai to store and process the personal information submitted above to provide you the content requested.

Back

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.