Full Report
The Japan Times reports: Japanese office supplies retailer Askul said that a ransomware cyberattack discovered in October led to the leakage of about 740,000 sets of data concerning its individual customers, corporate clients and employees. Of the total, about 590,000 sets of data were linked to its office supplies sales service for corporate customers, while... Source
Analysis Summary
# Incident Report: Askul Ransomware and Data Exfiltration
## Executive Summary
Japanese office supplies retailer Askul suffered a ransomware cyberattack discovered in October (prior to the report date). The incident resulted in the exfiltration of approximately 740,000 sets of data belonging to individual customers, corporate clients, and employees. The Ransomhouse group publicly claimed responsibility and began leaking data in late October through early December. Askul confirmed the breach but stated they did not pay the ransom, and no credit card information was confirmed stolen.
## Incident Details
- **Discovery Date:** October (The attack was "discovered in October")
- **Incident Date:** October (Ransomware deployment and data exfiltration occurred leading up to discovery)
- **Affected Organization:** Askul (Japanese office supplies retailer)
- **Sector:** Retail / Office Supplies Sales
- **Geography:** Japan
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown prior to October/October Discovery
- **Vector:** Ransomware Cyberattack (Specific initial vector not detailed in source)
- **Details:** Attack led to data leakage.
### Lateral Movement
- *Not detailed in source material.*
### Data Exfiltration/Impact
- **Date/Time:** Ransomhouse added Askul to its dark web leak site on October 30th. "Evidence packs" were leaked in November and on December 2nd.
- **Details:** Leakage of approximately 740,000 sets of data. This includes data linked to corporate clients (590,000 sets) and the "Lohaco" individual customer e-commerce service (130,000 sets).
### Detection & Response
- **Date/Time:** Discovered in October.
- **Response actions taken:** The company did not pay a ransom to the attackers.
## Attack Methodology
- **Initial Access:** Ransomware Cyberattack (Specific vector unknown)
- **Persistence:** *Not detailed in source material.*
- **Privilege Escalation:** *Not detailed in source material.*
- **Defense Evasion:** *Not detailed in source material.*
- **Credential Access:** *Not detailed in source material.*
- **Discovery:** *Not detailed in source material.*
- **Lateral Movement:** *Not detailed in source material.*
- **Collection:** Data gathered across corporate sales services, individual customer data (Lohaco), and employee data.
- **Exfiltration:** Data leaked publicly by the Ransomhouse group on their dark web site starting October 30th.
- **Impact:** Data leakage, potential financial and reputational loss.
## Impact Assessment
- **Financial:** *Not detailed in source.* Askul declined to pay the ransom.
- **Data Breach:** Approximately 740,000 sets of data compromised, including:
- 590,000 sets (Corporate client office supplies sales data)
- 130,000 sets (Individual customer data via Lohaco service)
- Employee data.
- *Crucially, no leakage of individual customer credit card information was confirmed.*
- **Operational:** *Not detailed in source regarding operational downtime.*
- **Reputational:** Public reporting via The Japan Times and public extortion/leaking by the Ransomhouse group.
## Indicators of Compromise
- **Network indicators:** None provided (Defanged)
- **File indicators:** None provided
- **Behavioral indicators:** Public posting/leakage by the **Ransomhouse** ransomware group starting October 30th.
## Response Actions
- **Containment measures:** *Not detailed in source.*
- **Eradication steps:** *Not detailed in source.*
- **Recovery actions:** *Not detailed in source.*
- **Key Decision:** Did not pay the ransom demand.
## Lessons Learned
- The organization was successfully targeted by a ransomware operation resulting in significant user and client data exposure.
- Public extortion via dark web sites (Ransomhouse) is a key component of the threat actor monetization strategy.
- While credit card data was not confirmed stolen, a large volume of PII/business data was compromised across organizational segments.
## Recommendations
- Conduct a thorough forensic analysis to determine the precise initial access vector used by the ransomware group.
- Implement immediate multi-factor authentication (MFA) across all critical services, especially those holding corporate and customer data.
- Review and segment corporate networks to limit the scope of potential lateral movement in future incidents.
- Enhance monitoring for unusual data egress patterns that align with ransomware group timelines.