BlackSuit ransomware gang claims responsibility for attack on KADOKAWA Group

The BlackSuit ransomware gang has claimed responsibility for a recent cyberattack on the KADOKAWA corporation and is now threatening to publish the stolen data if a ransom is not paid.

KADOKAWA is a Japanese media conglomerate that operates numerous companies in the film, publishing and gaming industries, including FromSoftware, the maker of Elden Ring.

Almost three weeks ago, the company reported that “several KADOKAWA Group websites are currently experiencing service outages” due to a cyberattack on June 8.

The incident impacted most of the company’s business activities and those of its subsidiaries, as they were hosted in the same data center and were encrypted by ransomware. Among the affected companies was popular Japanese video-sharing platform Niconico, which was first reported by TheRecord.

Since then, KADOKAWA has been providing updates on the status of the cyberattack and its impact on the infrastructure.

The latest update is from today and states that KADOKAWA has continued to have much of its operations impacted and all Niconico services are still suspended.

“In response to the system outage, KADOKAWA is working to build a secure network and server environment,” today’s update states.

“The top priority is to restore accounting functions, which are fundamental to business operations, and to normalize manufacturing and distribution functions in the publishing business, which generate significant revenue. Accounting functions are expected to be restored in early July, partly as a result of analogue measures.”

Although KADOKAWA announced that it had fallen victim to a ransomware attack, it did not disclose which ransomware operation was behind the attack.

Today, the BlackSuit ransomware gang claimed responsibility by adding the hotel chain to their data leak site and publishing a small sample of the stolen data.

The threat actors say they will release all stolen data on July 1 if a ransom is not paid, including contacts, confidential documents, employee data, business plans and financial data.

The BlackSuit ransomware operation was launched in May 2023 as a rebranding of the Royal ransomware operation.

The operators of the ransomware are believed to be from the now-defunct cybercrime syndicate “Conti”, an organized cybercrime gang made up of Russian and Eastern European threat actors.

In November 2023, the FBI and CISA warned that the ransomware operation was linked to attacks on at least 350 organizations worldwide since September 2022 and ransom demands totaling over $275 million.

Most recently, BlackSuit carried out an attack on CDK Global, causing massive disruption to auto retailers across North America.