Kadokawa Paid $3 Million Ransom, BlackSuit Ransomware Still Leaked Stolen Data

Japanese media giant Kadokawa Corp. reportedly paid a $2.98 million ransom to the Russia-linked BlackSuit ransomware gang following a major cyberattack in June 2024. Despite the payment, the group leaked 1.5 terabytes of stolen data.

The ransomware attack, which began on June 8, targeted Kadokawa's servers, including systems supporting the popular video-streaming platform Niconico and related services. BlackSuit claimed responsibility, stating they had infiltrated Kadokawa's network weeks before the attack, exploiting vulnerabilities to access a trove of sensitive data such as employee details, contracts, and financial records.

Kadokawa Corp., a prominent player in Japan's media landscape, is known for its extensive publishing, film, and web services businesses. The ransomware attack severely disrupted operations across its divisions. Niconico services were suspended for weeks, forcing Kadokawa to implement temporary platforms to sustain functionality. Publishing and merchandise operations also faced significant delays, further straining the company's reputation and finances.

Negotiating a ransom payment

Internal correspondence seen by cybersecurity firm Unknown Technologies revealed tense negotiations between Kadokawa executives and the hackers. On June 13, BlackSuit demanded $8.25 million, a sum Kadokawa's COO of subsidiary Dwango Co., Shigetaka Kurita, deemed unfeasible. Kurita disclosed to the attackers that company compliance policies limited payments to $3 million due to heightened scrutiny following prior scandals, including bribery allegations tied to the Tokyo Olympics.

The ransomware group issued an ultimatum: pay $2.98 million in Bitcoin within 48 hours, or the data would be leaked. Blockchain analysis by Unknown Technologies confirmed that 44 Bitcoins, worth $2.98 million at the time, were transferred to an account linked to BlackSuit. Despite this payment, the group reneged on their promise and leaked the stolen data.

Data leaked anyway

The ransomware actors exposed the personal data of all employees at Dwango Co. and other sensitive corporate information. While Kadokawa confirmed no credit card information was compromised, the fallout has been immense, affecting stakeholders, users, and the company's public image.

Kadokawa has declined to officially confirm the ransom payment, citing ongoing police investigations. However, the leaked details of the payment have reignited debates on the ethics and efficacy of ransom negotiations. Experts warn that paying ransoms often emboldens attackers, who may still leak data or target the victim again.