KADOKAWA Corporation Hit by Blacksuit Ransomware Attack

Overview of KADOKAWA Corporation

KADOKAWA Corporation is a prominent Japanese media conglomerate headquartered in Tokyo. The company operates across various sectors of the entertainment and publishing industries, including the production and distribution of books, magazines, films, anime, and video games. KADOKAWA is known for its significant influence in the Japanese pop culture landscape, with a diverse portfolio catering to different market segments.

One of KADOKAWA's core activities is publishing, particularly renowned for its light novels, which often serve as source material for anime adaptations. The company is also heavily involved in the anime industry, producing and distributing anime series and films. Additionally, KADOKAWA has a significant presence in the film industry, producing live-action films that appeal to both domestic and international audiences. The video game sector is another important area for KADOKAWA, developing and publishing games across various platforms. Furthermore, KADOKAWA operates several online platforms and services that distribute digital versions of its media content.

Details of the Ransomware Attack

On June 8, 2024, KADOKAWA Corporation experienced a significant system failure due to a ransomware attack by the Blacksuit group. This cyberattack caused multiple KADOKAWA Group websites, including their main global portal site, to become inaccessible. The attack has raised considerable concern among stakeholders, including readers, users, writers, creators, business partners, shareholders, and investors.

The compromised data includes personal details of students, graduates, and their parents from N Progressive School and N/S High Schools, contracts with creators and businesses associated with DWANGO Co., Ltd., and personal information of creators using DWANGO’s music monetization services. Additionally, personal information of all DWANGO employees and some affiliated company employees, as well as internal documents, have been affected. The attack primarily targeted DWANGO’s dedicated file server, with no evidence of an attack on systems storing information of authors, creators, and customers of KADOKAWA CORPORATION. However, personal information of some authors and creators who had direct dealings with DWANGO was leaked.

KADOKAWA has assured that customer credit card information, including that of Niconico service users, was not stored and thus not leaked. The company expects to receive accurate information from external investigations by July and will report these findings once confirmed. KADOKAWA has issued a heartfelt apology to all affected parties for the distress and inconvenience caused by this incident.

About the Blacksuit Ransomware Group

Blacksuit is a new ransomware family that emerged in 2023 and appears to be closely related to the notorious Royal ransomware group. The ransomware targets both Windows and Linux systems, including VMware ESXi servers. It appends the .blacksuit extension to encrypted files and drops a ransom note named README.BlackSuit.txt in each affected directory, which includes a reference to a Tor chat site where victims can contact the operators.

Researchers have found significant similarities between the code and functionality of Blacksuit and Royal ransomware, suggesting that Blacksuit is either a new variant developed by the same authors as Royal, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented some modifications. The emergence of Blacksuit indicates that the threat actors behind Royal may have inspired other cybercriminals to develop similar ransomware families, or it could have originated from a splinter group within the original Royal ransomware gang.

Potential Vulnerabilities and Penetration Methods

Given KADOKAWA Corporation's extensive digital operations and the sensitive nature of the data it handles, the company is a prime target for ransomware attacks. The attack on KADOKAWA primarily targeted DWANGO’s dedicated file server, suggesting that the ransomware group may have exploited vulnerabilities in the server's security protocols. The exact method of penetration remains under investigation, but common vectors include phishing emails, exploiting unpatched software vulnerabilities, and leveraging weak or compromised credentials.

Sources

• KADOKAWA Corporation Official Website
• Security Affairs: Blacksuit Ransomware
• SentinelOne: Hypervisor Ransomware