Cyber Incident Victim: Fujifilm
Date:
Jun 2021
Location:
Japan
Summary
Fujifilm experienced a ransomware attack that significantly disrupted its global business operations, forcing the shutdown of network segments worldwide and impacting email, billing, and reporting systems. The company confirmed the incident was caused by ransomware deployed via unauthorized access, with the REvil gang suspected due to prior Qbot trojan infections facilitating network infiltration. While the attack's impact was limited to specific domestic networks, recovery efforts involved gradually restoring operations on verified-safe servers and computers. This event occurred amid heightened scrutiny of ransomware targeting critical infrastructure, with REvil also linked to contemporaneous attacks on major global supply chain entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 1, 2021, Fujifilm detected unauthorized network access later confirmed as a ransomware attack. The company initiated an immediate response by June 2, instructing employees globally to power down computers and servers at approximately 10:00 AM EST. This containment measure caused significant operational disruptions, including inaccessibility of email systems, billing platforms, and internal reporting tools. Fujifilm publicly acknowledged a cyberattack that day but did not initially specify ransomware involvement, though internal communications identified it as such. By June 4, Fujifilm officially confirmed the ransomware nature of the breach in an updated statement, clarifying the intrusion occurred during the evening of June 1. The company asserted the impact was confined to specific domestic network segments within Japan, enabling gradual restoration of verified-safe systems starting June 4. Network communications resumed sequentially following safety confirmation.
The attack methodology involved initial infiltration via the Qbot trojan, which facilitated remote network access for the REvil ransomware operation according to cybersecurity firm Advanced Intel. Attackers leveraged this access to propagate laterally across systems, exfiltrate unencrypted data, and compromise Windows domain administrator credentials before deploying ransomware encryption. While Fujifilm did not publicly attribute the attack, industry analysts linked it to REvil based on the Qbot partnership and operational patterns matching recent high-profile incidents like the JBS meat processing attack. Fujifilm implemented customer-facing website notifications regarding service disruptions but did not disclose whether data was stolen or if ransom negotiations occurred. The incident coincided with heightened global scrutiny of ransomware following attacks on Colonial Pipeline and Ireland's HSE healthcare system, prompting U.S. plans to address cybercrime during the Biden-Putin summit later that month. Business operations resumed progressively as systems underwent safety verification and restoration.