Introduction

Japan ranks second in Asia for the number of ransomware incidents; as many companies with influence in the global economy and major industries are located there, the country has become a major target for threat actors. Attacks targeting Japan have increased sharply especially since 2023, and key industries such as manufacturing, information and communication, and construction are being heavily impacted. This is because of the vast amount of data held by Japanese companies, their influence within the supply chain, and security vulnerabilities in certain industries providing threat actors with opportunities to seek economic gain.

 

This report reflects this trend by comparing and analyzing AhnLab’s own collected data with the data of Japanese victim companies recorded on Ransomware.live. Also, it will statistically study ransomware damage targeting Japanese companies from 2017 to 2025 to focus on presenting key insights.
 

 

Analysis of Damage Status

 

1. Increase in Number of Damage Cases by Year

The number of ransomware damage cases targeting Japanese companies showed a continuously increasing trend from 2017 to 2024. The number of attacks surged especially since 2023, with a tendency to occur intensively in specific industries and periods.

Figure 1. The number of ransomware damage cases by year

 

 

2. Number of Damage Cases by Month

 

 

Ransomware attacks occurred intermittently in 2021 and no distinct pattern of concentration at specific times was observed. In 2022, the frequency of attacks increased compared to the previous year, with attacks occurring at various points throughout the year and showing a gradual upward trend.

 

In 2023, ransomware attacks generally increased with the frequency of attacks being relatively high, especially in April and July. The number of attacks increased significantly compared to the previous year, but no consistent pattern of concentration in specific industries or times was clearly observed.

 

In 2024, ransomware attacks increased significantly with a tendency to occur intensively in the fourth quarter (Q4). This suggests the possibility of a tendency for ransomware attacks to concentrate at specific times. Considering factors such as the fiscal closing season of companies, security response gaps during holiday periods, and business schedules of major industries, it is likely that attackers analyzed and targeted times when security becomes vulnerable.

 

In the first quarter (Q1) of 2025, a relatively high number of attacks was reported compared to the same period of the previous year, indicating the possibility that the attacks concentrated in the fourth quarter of 2024 may continue into the new year. Ransomware attacks may not be isolated incidents but could occur as part of ongoing campaigns, with a pattern of concentrated attacks at specific times potentially repeating. However, further analysis is needed to determine whether this phenomenon is a temporary trend or related to industry-specific characteristics or economic factors.

 

It would be important to analyze whether specific industries face increased security risks at the end of the year or in certain quarters and to develop response strategies accordingly in the future.

 

Figure 2. Monthly ransomware attack heatmap

 

3. Damage Status by Industry

Among the affected industries, the manufacturing sector accounted for the highest proportion of total attacks (69 cases) and became a major target of ransomware attacks. Due to the nature of operating large-scale production systems and global supply chains, the manufacturing sector has intricately intertwined operational technology (OT) and information technology (IT) systems. Because system paralysis can lead to significant losses from production disruptions, there is a high likelihood of the industry being prioritized as a target by threat actors.

 

The information and communication sector (13 cases) and the wholesale and retail sector (8 cases) also received relatively high attacks. This appears to be because they hold large amounts of data or can be used for supply chain attacks through distribution networks.

 

The construction sector (10 cases) and the professional and technical services sector (4 cases) also showed a pattern of being included as major targets. These sectors have many project-based tasks and operate systems containing important data such as contract information and blueprints, making them likely targets for ransomware attackers.

 

Various sectors such as accommodation and food services, healthcare and welfare, and transportation and postal services (each with 3 or fewer cases) are also becoming targets of attacks, suggesting that strengthening security is necessary not only for specific sectors but across all industries.

The damage status of Japanese industries is similar to the ransomware damage trend of Korean companies where manufacturing is a major target, showing that major foundational industries continue to be targets of attacks.

 

Figure 3. Status of ransomware attacks by industry

 

Major Ransomware Attack Groups

From 2017 to 2025, the ransomware groups that were most active in carrying out attacks targeting Japanese companies were identified as LockBit with 29 cases, Alphv (BlackCat) with 12 cases, RansomHub with 10 cases, Clop with 7 cases, and 8Base with 7 cases.

 

The top ransomware groups (such as LockBit, Alphv, RansomHub, Clop, etc.) account for a significant portion of all attacks and are characterized by continuously developing their attack techniques while maintaining the existing Ransomware-as-a-Service (RaaS) model.

 

As the reorganization of ransomware groups took place, the activities of some groups sharply declined or ceased after 2024, and a pattern of new groups rapidly emerging was observed. LockBit has been consistently carrying out attacks since 2021 and recording the most damage cases, but it then showed a trend of sharply declining activity frequency since February 2024, when law enforcement crackdowns occurred. Alphv (BlackCat) and 8Base also had their activities disrupted due to the closure of DLS and the cessation of operations. On the other hand, RansomHub emerged after February 2024 and has carried out 10 attacks to date, rapidly expanding its influence. After the crackdowns on groups like LockBit, Alphv, and 8Base, it appears that the threat actors who have been using the RaaS affiliates of these groups moved en masse to RansomHub. As a result, there is a high possibility that the number of attacks by RansomHub and similar new groups will increase in the future.

 

There is a trend of new groups emerging by using the code of existing groups or through rebranding after ceasing activities in the ransomware ecosystem. As such, it is deemed necessary to analyze the relationships between attack groups and continuously monitor their activities in the future.

Figure 4. The number of damage cases by ransomware group

 

Ransomware Response Strategy

 

As ransomware attacks become increasingly sophisticated and the scale of damage expands, Japanese companies need to establish stronger security strategies. Below is a compiled response strategy based on recent ransomware trends and key security recommendations.

 

※ Please refer to the attachment for more details.