Cyber Incident Victim: Overseas Express Shipping Company
Date:
Sep 2020
Location:
Japan
Summary
The Overseas Express Shipping Company was targeted in a ransomware attack by the LockBit group, which exfiltrated and publicly leaked a database containing approximately 5.8 million records of sensitive personal information, including names, addresses, and email addresses. LockBit utilized dark web forums and a dedicated blog to intimidate the victim and pressure ransom payments, though technical failures in their encryption and decryption processes reportedly enabled some affected organizations to restore operations without paying. The incident highlighted LockBit's adoption of established ransomware tactics, including data theft for leverage and recruitment of affiliates, despite operational inconsistencies that undermined their effectiveness.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 14, 2020, the ransomware group LockBit announced the launch of a dedicated blog on a Russian-language dark web forum, using it to publish stolen data from two victims: Yaskawa Electric Corporation and Overseas Express Shipping Company. The group, which operated under the Ransomware-as-a-Service (RaaS) model, had previously recruited affiliates through forum posts on January 17, 2020. LockBit’s blog post contained Overseas Express Shipping Company’s database comprising 5.8 million records, including personally identifiable information (PII) such as names, addresses, email addresses, and internal corporate documents. This data leak followed an unconfirmed ransomware attack against the shipping company, though the effectiveness of LockBit’s file encryption during the incident remained unclear. The publication of the database aligned with established ransomware intimidation tactics, where groups leverage stolen data to pressure victims into paying ransoms by threatening or executing public releases.
The incident’s technical execution faced scrutiny from another cybercriminal using the alias “wexford,” who publicly accused LockBit on September 2, 2020, of failing to deliver ransom payments after four months of collaboration. Wexford alleged LockBit’s ransomware had critical flaws in both encryption and decryption processes, enabling some victims to restore operations using network backups without paying. This claim cast doubt on whether Overseas Express Shipping Company’s systems were successfully encrypted or whether the data leak represented retaliation for non-payment. No information was disclosed regarding Overseas Express’s detection methods, containment efforts, or whether it negotiated with LockBit. The confirmed impact included the exposure of sensitive customer and corporate data, potentially facilitating identity theft or further targeted attacks. LockBit’s simultaneous leak of Yaskawa Electric Corporation’s proprietary financial and technical data underscored the group’s focus on high-value targets across multiple industries.