BlackSuit hacker
Image: Midjourney

The BlackSuit ransomware gang claimed a recent cyberattack on KADOKAWA corporation and is now threatening to publish stolen data if a ransom is not paid.

KADOKAWA is a Japanese media conglomerate that operates numerous companies in film, publishing, and gaming industries, such as FromSoftware, the maker of Elden Ring.

Almost three weeks ago, the company reported that "multiple websites of the KADOKAWA Group are currently experiencing service outages" due to a cyberattack on June 8.

The incident impacted most of the company's and its subsidiary's operations as they were hosted in the same data center, which were encrypted by ransomware. The impacted companies included the popular Japanese video-sharing platform Niconico, first reported by TheRecord.

Since then, KADOKAWA has been providing updates on the status of the cyberattack and its impact on its infrastructure.

The latest update is from today, in which KADOKAWA says most of its operations continue to be impacted, with all Niconico services still suspended.

"In response to the system failure, KADOKAWA is working on building a secure network and server environment," explains today's update.

"Its top priority is to restore the accounting functions, which are fundamental to its business activities, and to normalize the manufacturing and distribution functions in the publication business, which generate considerable revenue. The accounting functions, owing partly to measures in an analog manner, are expected to be restored in early July."

While KADOKAWA revealed that they suffered a ransomware attack, they had not shared what ransomware operation was behind the attack.

Today, the BlackSuit ransomware gang claimed responsibility by adding the hotel chain to their data leak site and published a small sample of the stolen data.

The threat actors say they'll publish all of the stolen data on July 1 if a ransom is not paid, including contacts, confidential documents, employee data, business plans, and financial data.

KADOKAWA on the BlackSuit data leak site
KADOKAWA on the BlackSuit data leak site
Source: BleepingComputer

The BlackSuit ransomware operation was launched in May 2023 as a rebrand of the Royal ransomware operation.

The ransomware operators are believed to be from the now shutdown Conti cybercrime syndicate, an organized cybercrime gang comprised of Russian and Eastern European threat actors.

In November 2023, the FBI and CISA warned that the ransomware operation was linked to attacks on at least 350 organizations worldwide since September 2022 and more than $275 million in ransom demands.

Most recently, BlackSuit conducted an attack on CDK Global, which caused massive disruption to car dealerships throughout North America.

Related Articles:

LA housing authority confirms breach claimed by Cactus ransomware

MoneyGram: No evidence ransomware is behind recent cyberattack

Xerox says subsidiary XBS U.S. breached after ransomware gang leaks data

Attacks on Citrix NetScaler systems linked to ransomware actor

New Ymir ransomware partners with RustyStealer in attacks