Full Report
Japanese police confirmed 226 cases of damage from ransomware attacks in 2025, the second-highest annual total, data from the National Police Agency showed Thursday. The number of ransomware attacks, in which perpetrators use a computer virus to encrypt data and demand payment to restore access, rose by four from the previous year. Although some 60 pct of the victims were small and midsize companies, there were cases in which serious damage was inflicted on large companies, such as food and beverage giant Asahi Group Holdings Ltd. and office and household goods supplier Askul Corp.
Analysis Summary
# Incident Report: 2025 Japanese National Ransomware Surge
## Executive Summary
In 2025, Japan experienced a significant surge in ransomware activity with 226 confirmed cases of damage, marking the second-highest annual total on record. The attacks primarily targeted small and midsize enterprises (SMEs), though high-profile conglomerates like Asahi Group Holdings and Askul Corp. suffered major operational disruptions. The "Qilin" ransomware variant emerged as the primary threat actor during this period.
## Incident Details
- **Discovery Date:** Various (Reported March 12, 2026)
- **Incident Date:** Calendar Year 2025
- **Affected Organization:** Multiple; including Asahi Group Holdings Ltd. and Askul Corp.
- **Sector:** Cross-sector (Food & Beverage, Retail/Logistics, SME Manufacturing)
- **Geography:** Japan (National)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout 2025
- **Vector:** Not explicitly detailed in the report (typically via VPN vulnerabilities or Phishing)
- **Details:** Attackers targeted 226 organizations, with a focus on SMEs representing 60% of victims.
### Lateral Movement
- **Details:** Not specified in the summary report; however, high-profile breaches (Asahi, Askul) indicate successful movement from initial entry points to critical data servers.
### Data Exfiltration/Impact
- **Details:** Large-scale encryption of corporate data followed by ransom demands. 149 cases resulted in identified virus strains.
### Detection & Response
- **How it was discovered:** National Police Agency (NPA) data collection and mandatory reporting through 2025.
- **Response actions taken:** International joint investigations led by the NPA; development of specific recovery tools for certain strains.
## Attack Methodology
- **Initial Access:** Common ransomware entry points (VPN/RDP exploitation).
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Use of sophisticated ransomware strains to bypass legacy antivirus.
- **Credential Access:** Not specified.
- **Discovery:** System and network scanning.
- **Lateral Movement:** Not specified.
- **Collection:** Targeting of mission-critical business data and household/client contact info.
- **Exfiltration:** Double-extortion tactics (implied by ransomware type).
- **Impact:** Data encryption, operational shutdown, and financial extortion.
## Impact Assessment
- **Financial:** Higher recovery costs were directly correlated with the duration of system downtime.
- **Data Breach:** Compromise of internal corporate data and potential supplier/customer information.
- **Operational:** "Serious damage" and prolonged operational disruptions for large-scale Japanese logistics and beverage companies.
- **Reputational:** Significant public reporting on major brands' inability to maintain services.
## Indicators of Compromise
*Note: Specific technical IOCs are not provided in the NPA summary, but the following malware families were identified:*
- **Malware Family:** Qilin (32 cases)
- **Malware Family:** LockBit (19 cases)
- **Malware Family:** 8Base (1 case - declining due to law enforcement intervention)
## Response Actions
- **Containment measures:** International law enforcement coordination to dismantle threat actor infrastructure.
- **Eradication steps:** NPA distribution of mitigation strategies.
- **Recovery actions:** The NPA developed and deployed a specific recovery tool for victims of the **8Base** ransomware.
## Lessons Learned
- **Prevention is cheaper than recovery:** Prolonged recovery time significantly increases the total financial loss beyond the ransom demand itself.
- **Law Enforcement Cooperation works:** The dramatic decrease in 8Base attacks proves that international joint investigations and the release of decryption tools by authorities can neutralize specific threat groups.
- **SMEs as weak links:** The high percentage of SME victims (60%) highlights a systemic vulnerability in the national supply chain.
## Recommendations
- **Strengthen SME Security:** Large corporations should audit the cybersecurity posture of their smaller suppliers to prevent pivot attacks.
- **Deploy Endpoint Detection & Response (EDR):** Focus on detecting the "Qilin" and "LockBit" families which remain the most active in the region.
- **Regular Backups:** Maintain offline, immutable backups to reduce the leverage of encryption-based extortion.
- **Engage Law Enforcement:** Early reporting to the NPA may provide victims access to proprietary recovery tools (as seen with 8Base).