KADOKAWA / Niconico BlackSuit ransomware (2024)

On the morning of 8 June 2024, the Japanese media and publishing giant KADOKAWA — owner of the Niconico video platform, dozens of anime and game studios, and the Kadokawa Dwango Educational Institute — suffered a ransomware attack by the Russian-linked BlackSuit group. Niconico went dark, KADOKAWA's corporate infrastructure was paralysed, and the outage stretched for two months.

What happened

The intrusion was traced back to a phishing attack. Once inside, BlackSuit operators encrypted both KADOKAWA's corporate IT and the infrastructure supporting Niconico's video platform. When KADOKAWA tried to shut down compromised servers remotely, the attackers — still active in the network — restarted them. KADOKAWA's incident-response team resorted to physically disconnecting power and network cables in the data centre.

BlackSuit demanded a ransom and threatened to leak 1.5 TB of stolen data if not paid by 1 July 2024. KADOKAWA negotiated, and in December the company paid approximately $2.9 million in cryptocurrency. BlackSuit leaked the data anyway — a public reminder that paying ransomware groups buys neither silence nor honour.

KADOKAWA's stock dropped over 20% by early July 2024. Niconico did not fully come back online until 5 August 2024, nearly two months after the attack.

Impact

Niconico and KADOKAWA group services offline for nearly 2 months.
KADOKAWA stock down >20% in the weeks after disclosure.
254,241 individuals had personal data leaked, including 186,269 Kadokawa Dwango Educational Institute students.
~$2.9 million ransom paid; data leaked anyway.
Triggered widespread reviews of phishing-resilience and BCP for Japanese media infrastructure.

Why it matters

KADOKAWA's experience is one of the cleanest case studies of why paying a ransomware group does not buy data confidentiality. The crew took the payment and dumped the data. The lesson — operationally, legally, and in public communications — has shaped how Japanese boards now approach ransomware decisions.

Timeline

June 8, 2024

Around 03:30 JST, Niconico and KADOKAWA Group services suffer a connectivity failure. The cause is a BlackSuit ransomware attack.

June 14, 2024

KADOKAWA publicly confirms a ransomware attack; attackers are observed restarting servers remotely so KADOKAWA physically disconnects power and network cables.

July 1, 2024

BlackSuit's threatened deadline to leak 1.5 TB of stolen data passes.

August 5, 2024

Full services restored after roughly two months of downtime.

August 6, 2024

Internal investigation identifies a phishing attack as the probable initial-access vector.

December 12, 2024

BlackSuit emails KADOKAWA executives confirming receipt of approximately $2.9M in cryptocurrency — and proceeds to leak the 1.5 TB of stolen data anyway.

December 1, 2024

Confirmed personal data leak affects 254,241 individuals, including 186,269 students of the Kadokawa Dwango Educational Institute.

Sources

en.wikipedia.orghttps://en.wikipedia.org/wiki/2024_cyberattack_on_Kadokawa_and_Niconico

therecord.mediahttps://therecord.media/kadokawa-japan-reported-ransomware-payment

therecord.mediahttps://therecord.media/japan-anime-giant-data-leak-ransomware

cyberinsider.comhttps://cyberinsider.com/kadokawa-paid-3-million-ransom-blacksuit-ransomware-still-leaked-stolen-data/

group.kadokawa.co.jphttps://group.kadokawa.co.jp/global/information/media-download/1345/840603bf0659e8ce/

Related incidents

RansomwareRansom paidJune 18, 2024

CDK Global BlackSuit ransomware (2024)

BlackSuit operators encrypted CDK Global's dealer-management platform, knocking ~15,000 North American car dealerships offline for nearly two weeks. A second attack hit on day two of recovery. Industry losses estimated at over $1 billion; CDK reportedly paid a $25 million ransom.

Victim: CDK Global
Loss: $1.00B

RansomwareContainedJanuary 17, 2024

Schneider Electric Sustainability Business Cactus ransomware (2024)

Cactus ransomware operators hit Schneider Electric's Sustainability Business division, taking the Resource Advisor consulting platform offline and exfiltrating approximately 1.5 TB of data — including passport scans and signed NDAs from customers like Hilton, PepsiCo, and Walmart.

Victim: Schneider Electric — Sustainability Business division

RansomwareContainedMay 13, 2026

Foxconn Nitrogen ransomware breach (2026)

The Nitrogen ransomware group claimed on its dark-web leak site that it had stolen over 11 million files from Foxconn's North American facilities, including confidential information belonging to customers Apple, Dell, Google, Intel, Nvidia, and Sony. Foxconn said affected factories were resuming normal production.

Victim: Foxconn (Hon Hai Precision Industry)

RansomwareUnknownMay 7, 2026

Académie de Montpellier: sensitive document leak after a cyberattack

The MedusaLocker ransomware group claims to have compromised systems linked to the Académie de Montpellier / CSJM and is threatening to publish documents

Victim: Montpellier education authority