Full Report
There were 134 ransomware incidents reported in Japan in 2025, representing a 17.5% year-over-year increase from 2024.
Analysis Summary
# Incident Report: Rise of Qilin Ransomware Activity in Japan (2025)
## Executive Summary
In 2025, Japan experienced a significant surge in ransomware activity, with 134 reported incidents marking a 17.5% year-over-year increase. The Qilin ransomware group emerged as the primary threat actor, accounting for over 16% of these attacks by leveraging stolen credentials and advanced "EDR-killer" malware. The manufacturing and automotive sectors were the most heavily impacted, with attackers increasingly focusing on small- and medium-sized enterprises (SMEs).
## Incident Details
- **Discovery Date:** Ongoing monitoring throughout 2025 (Report published April 2026)
- **Incident Date:** January 2025 – December 2025
- **Affected Organization:** 134 various organizations (Multiple)
- **Sector:** Primarily Manufacturing (28%), Automotive (8%), Trading (7%), and IT (6%)
- **Geography:** Japan (Nationwide)
## Timeline of Events
### Initial Access
- **Date/Time:** Various dates throughout 2025.
- **Vector:** Valid Accounts (Credential Theft).
- **Details:** Attackers obtained legitimate credentials via Telegram channels, Breach Forums, and Initial Access Brokers (IABs).
### Lateral Movement
- Attackers utilized specialized toolsets, including SystemBC and the creation of unauthorized local admin accounts using the `net user` command, to navigate compromised environments.
### Data Exfiltration/Impact
- **Data Exfiltration:** Qilin utilized double-extortion tactics, listing victims on a dedicated leak site (over 200 global victims in October 2025 alone).
- **Impact:** Encryption of critical files and public exposure of sensitive corporate data.
### Detection & Response
- **Detection:** Identified through Sigma and YARA rule correlations, specifically monitoring for frequent `net user` executions and suspicious EDR-disabling tools.
- **Response:** Security researchers (Talos) published 12 Sigma rules and Snort signatures to detect the pre-ransomware phase.
## Attack Methodology
- **Initial Access:** Stolen credentials bought from IABs or harvested from forums/Telegram.
- **Persistence:** Creation of new local user accounts (`net user /add`).
- **Defense Evasion:** Use of "EDR killer" malware and legitimate tools (e.g., ThrottleStop) to disable endpoint security monitoring.
- **Credential Access:** Credential exposure across multiple accounts prior to the breach.
- **Discovery:** Probing for administrative accounts and network architecture.
- **Lateral Movement:** Usage of SystemBC for tunneling and control.
- **Exfiltration:** Transfer of data to leak sites for extortion.
- **Impact:** Ransomware execution causing operational downtime and loss of data confidentiality.
## Impact Assessment
- **Financial:** High potential (costs associated with ransom demands and recovery), though specific yen amounts were not disclosed.
- **Data Breach:** Exposure of proprietary data on Qilin leak sites.
- **Operational:** Severe disruption, particularly in the manufacturing and healthcare sectors where downtime has immediate physical/social consequences.
- **Reputational:** Public listing on leak sites impacting 134 Japanese organizations.
## Indicators of Compromise
*(Note: Samples provided are defanged examples based on the report findings)*
- **Network Indicators:**
- Snort SIDs: 66181, 66180, 301456
- **File Indicators (Malware Families):**
- Win.Malware.Bumblebee-10056548-0
- Win.Tool.EdrKiller-10059833-0
- Win.Tool.ThrottleStop-10059849-0
- **Behavioral Indicators:**
- Multiple `net user` command executions (3+ times within 15 minutes).
- Use of `Password@123` for unauthorized account creation.
## Response Actions
- **Containment:** Implementation of ClamAV and Snort signatures to block known Qilin tooling.
- **Eradication:** Identification and removal of SystemBC and EDR-killer binaries.
- **Recovery:** Restoration of services for the 57% of impacted SMEs through backups (where available).
## Lessons Learned
- **Credential Hygiene is Critical:** The reliance on IABs shows that many Japanese firms are failing to secure credentials and lack Multi-Factor Authentication (MFA).
- **EDR is Not Infallible:** Attackers are now actively using tools specifically designed to "kill" EDR processes, requiring more robust kernel-level protections.
- **SMEs are Targets:** Small- and medium-sized enterprises are often viewed as "soft targets" with less mature security programs but valuable supply chain links.
## Recommendations
- **Implement MFA:** Enforce Multi-Factor Authentication on all external-facing services to mitigate the risk of stolen credentials.
- **Behavioral Monitoring:** Deploy Sigma correlation rules to detect suspicious account creation and administrative commands that bypass traditional signature-based alerts.
- **Supply Chain Security:** Manufacturing and automotive firms must audit the security posture of smaller subsidiaries and partners.
- **Hardened EDR Configurations:** Enable tamper protection features within EDR/AV solutions to prevent unauthorized process termination.