Full Report
Overview In recent years, ransomware attacks have been increasing worldwide, with Korean companies also experiencing a rise in cases. Especially since 2023, there has been a sharp surge in ransomware incidents targeting the Asia region, highlighting the need for a systematic analysis of this trend and its impact. This report is based […]
Analysis Summary
# Incident Report: Ransomware Attacks Targeting Korean Companies (2021–Q1 2025)
## Executive Summary
This report analyzes 39 confirmed ransomware incidents targeting Korean companies (including overseas subsidiaries) between January 2021 and March 2025, based on postings on Ransomware group Dedicated Leak Sites (DLS). The trend shows a clear increase in attacks, particularly with a sharp surge observed in 2024. The incidents involved various ransomware groups and primarily impacted the manufacturing sector in the early years analyzed.
## Incident Details
- Discovery Date: Ongoing analysis based on DLS posting dates (First confirmed case Jan 2021)
- Incident Date: Between January 2021 and March 2025
- Affected Organization: Various Korean companies and their overseas subsidiaries (39 cases analyzed)
- Sector: Manufacturing, Auto Parts, Shipbuilding (Early focus areas)
- Geography: Global (Focus on Korean headquartered entities, including overseas operations)
## Timeline of Events
### Initial Access
- Date/Time: Beginning in 2021 (First confirmed attack in 2021)
- Vector: Not detailed in the summary data provided. Assumed via typical ransomware entry vectors.
- Details: The analysis covers the initial posting date on DLS as the proxy for the incident confirmation date.
### Lateral Movement
- Details: Specific lateral movement techniques are not detailed in this summary data set.
### Data Exfiltration/Impact
- Details: Confirmed impact involves data leakage reflected by DLS postings, suggesting data extortion alongside encryption. The scale of data damage is often unconfirmed unless self-disclosed.
### Detection & Response
- Details: Detection is primarily based on the public posting of compromised data on the attacker's DLS. Response actions are not detailed in the provided overview, aside from the data collection and analysis itself.
## Attack Methodology
*Note: Specific technical details for individual TTPs (Tactics, Techniques, and Procedures) are not provided in the source document, as it focuses on trend analysis. The summary below reflects general ransomware stages.*
- Initial Access: Unknown, likely common vectors such as phishing or exploitation of vulnerabilities.
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown (Implied by ability to avoid detection long enough to exfiltrate data).
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Data theft leading to DLS posting.
- Exfiltration: Data theft leading to DLS posting.
- Impact: Data encryption (ransomware) and data extortion (DLS posting).
## Impact Assessment
- Financial: Not quantified in this summary.
- Data Breach: Data leakage confirmed for cases posted on DLS. Sensitive operational or customer data likely involved based on targeting industries.
- Operational: Implied business disruption due to encryption/extortion, but specific impact magnitude is frequently unascertainable.
- Reputational: High, especially given the public nature of DLS postings.
## Indicators of Compromise
- Network indicators: Not provided in the summary.
- File indicators: Not provided in the summary.
- Behavioral indicators: Not provided in the summary.
## Response Actions
- Containment/Eradication/Recovery: Details on specific remediation actions for the 39 cases are not available in this trend analysis overview.
## Lessons Learned
- Trend Confirmation: Ransomware targeting Korean entities (including global subsidiaries) has shown a significant upward trajectory from 2021, accelerating sharply since 2023/2024.
- Sectoral Focus: In the early years (2022), key industrial sectors like manufacturing, auto parts, and shipbuilding were targeted.
- Data Dependency: Analysis heavily relies on public DLS postings; incidents resolved privately or unreported remain hidden.
## Recommendations
- Enhance Visibility: Implement robust monitoring across all overseas subsidiaries as they constitute a material risk to the parent organization.
- Sectoral Hardening: Increase security controls specifically tailored to the manufacturing sector, which showed early targeting patterns.
- Proactive Threat Hunting: Assume successful initial access has occurred and focus detection efforts on immediate lateral movement and data staging activities following observed attack spikes.