In the first half of 2025, Japan witnessed a significant escalation in ransomware attacks, with incidents rising by approximately 1.4 times compared to the same period in 2024. Cybersecurity analysts reported 68 ransomware cases affecting Japanese organizations between January and June 2025, up from 48 cases during the corresponding period last year. This surge underscores the evolving and persistent threat landscape confronting Japanese enterprises across various sectors.
Targeted Sectors and Organizations
Attackers have shown a marked preference for small and medium-sized enterprises (SMEs), with organizations possessing capital under 1 billion yen comprising 69% of all victims. The manufacturing sector remains the most severely impacted, accounting for 18.2% of all incidents, followed by automotive companies at 5.7%. The monthly incident rate averaged approximately 11 attacks, fluctuating between a minimum of 4 and a maximum of 16 cases per month, indicating consistent threat actor activity throughout the observation period.
Emerging Threat Actors
A notable shift in the ransomware threat landscape has been identified, with the Qilin group emerging as the most active operator targeting Japanese organizations. Despite having no reported activity in Japan during fiscal year 2024, Qilin orchestrated eight confirmed attacks during the first half of 2025, establishing itself as a primary concern for Japanese cybersecurity professionals. This increase coincided with the cessation of activities by previously dominant groups LockBit and 8base, which were disrupted by law enforcement operations in February 2024 and February 2025, respectively.
Additionally, a new ransomware group named Kawa4096 began operations in late June 2025, immediately targeting Japanese companies. Within its first week, this group successfully compromised two Japanese organizations, demonstrating an alarming focus on the Japanese market from its inception. The rapid targeting by this new group suggests sophisticated threat intelligence and operational capabilities.
Technical Analysis of KaWaLocker Ransomware
The KaWaLocker ransomware deployed by Kawa4096 exhibits advanced technical characteristics that distinguish it from conventional ransomware families. The malware utilizes a resource-based configuration system, loading critical operational parameters through the FindResourceW API from embedded RCDATA sections. This approach allows attackers to customize encryption behavior, file exclusions, and post-infection commands without modifying the core executable.
KaWaLocker implements an intelligent chunk-based encryption strategy using the Salsa20 stream cipher, optimizing performance based on file sizes. For files smaller than 10MB, complete encryption occurs, while larger files undergo selective encryption with varying chunk sizes. Files between 32MB and 64MB receive 32MB chunks, while files exceeding 2GB are processed using 128MB segments. This selective approach significantly reduces encryption time while maintaining data inaccessibility.
Recent High-Profile Incidents
Several high-profile ransomware attacks have highlighted the vulnerabilities within Japanese organizations:
– Port of Nagoya Attack: In July 2023, the Port of Nagoya, Japan’s largest maritime port, suffered a ransomware attack that disrupted cargo operations. The attack forced a shutdown of container operations, affecting over 10% of the country’s trade. Operations were halted for several days, causing significant financial losses and delays in the transfer of goods to and from Japan.
– Kadokawa and Niconico Breach: In June 2024, Kadokawa Corporation and its subsidiary Niconico experienced a ransomware attack by the Russian-linked hacker group BlackSuit. The attack led to a systemwide crash, delaying publication deliveries and halting the organization’s video streaming service. Approximately 254,241 users’ data were leaked, and services remained offline for nearly two months.
– Kintetsu World Express Incident: In April 2025, Kintetsu World Express, a major Japanese logistics provider, confirmed a ransomware attack that disrupted some of its systems. The company is in the process of restoring affected systems and has notified customers about potential data compromises.
Government Response and Legislative Measures
In response to the escalating cyber threats, Japan enacted the Active Cyberdefense Law (ACD) in May 2025. This landmark legislation allows the government to be more proactive in combating cyberattacks. The ACD permits the monitoring of IP communications between Japan and foreign nations and empowers authorities to neutralize adversarial servers. It also mandates critical infrastructure operators to report breaches, addressing previous reluctance due to reputational concerns. The law aims to enhance Japan’s cyber defense capabilities to match those of leading Western nations.
Challenges and Recommendations
Despite legislative efforts, Japan faces significant challenges in bolstering its cybersecurity defenses. The country has a shortfall of approximately 110,000 qualified cybersecurity professionals, underscoring the need for investment in education and training. Additionally, Japanese companies often lack transparency in disclosing cyber incidents, which can hinder effective response and recovery efforts.
To mitigate the rising threat of ransomware attacks, organizations are advised to:
– Enhance Cybersecurity Measures: Implement robust security protocols, including regular software updates, employee training, and incident response plans.
– Invest in Talent Development: Address the shortage of cybersecurity professionals by investing in education and training programs.
– Foster Transparency: Adopt transparent practices in reporting cyber incidents to facilitate timely response and recovery.
– Collaborate with Authorities: Work closely with government agencies to stay informed about emerging threats and participate in information-sharing initiatives.
By taking these proactive steps, Japanese organizations can better protect themselves against the evolving landscape of ransomware threats.
