Overview

 

 

In recent years, ransomware attacks have been increasing worldwide, with Korean companies also experiencing a rise in cases. Especially since 2023, there has been a sharp surge in ransomware incidents targeting the Asia region, highlighting the need for a systematic analysis of this trend and its impact.

 

This report is based on information posted on ransomware groups’ Dedicated Leak Sites (DLS). The data used for analysis includes the date of the attack, DLS post titles, ransomware group names, affected company names, and major and minor industry classifications. Using this data, the report primarily analyzes the temporal trends and sectoral impact of ransomware attacks targeting Korean companies from 2021 to the first quarter of 2025.

 

The analysis adopts a comprehensive approach by including overseas subsidiaries of Korean companies. This perspective considers the global business environment, recognizing that damages to overseas subsidiaries directly affect the parent company’s overall business continuity.

 

 

Data Overview

 

 

The data for this analysis was collected from DLS operated by major ransomware groups. The dataset covers 39 attack cases related to Korean companies posted between January 2021 and March 2025. Each case includes information such as the date of the attack, company names, ransomware group names, and industry classifications.

 

The following criteria were applied during the data collection process:

1. The scope of Korean companies was set to include overseas subsidiaries of companies headquartered in Korea. This is based on the judgment that attacks on overseas subsidiaries effectively constitute damages to domestic companies.
2. The date of attack was determined based on the first posting date on DLS.
3. Industry classifications were divided into major and minor categories based on the Korean Standard Industry Classification (KSIC).

 

However, the dataset has some limitations:

1. It only includes cases posted on known DLS, excluding smaller group attacks or cases where data leakage was prevented due to ransom payment.
2. Some attacks were confirmed through self-disclosure by affected companies, such as media exposure, but details like the scale of damage or specific attack methods were difficult to ascertain.
3. In cases where multiple attacks occurred against the same company, each incident was treated as an independent case.

 

Despite these limitations, the collected data provides valuable insights into the overall trends and status of ransomware attacks against Korean companies. It serves as a meaningful foundation for analyzing changes in the number of attacks over time, industry-specific damages, and characteristics of affected companies.

 

Analysis of Korean Industries Damaged Due to Ransomware

 

 

1. Analysis of Damages

 

 

1.1. Changes in the Number of Cases by Year

 

 

Ransomware attacks targeting Korean companies showed a clear upward trend from 2021 to 2024. In 2021, one attack by the LockBit group was confirmed, marking the beginning of ransomware targeting Korean companies. In 2022, three attacks by groups such as Snatch, Hive, and Cuba occurred, mainly targeting the manufacturing sector, including auto parts manufacturers and shipbuilding industries.