Cyber Incident Victim: Konica Minolta
Date:
Jul 2020
Location:
Japan
Summary
Konica Minolta experienced a ransomware attack disrupting customer services and support systems for nearly a week, including outages to its product supply portal and printer-related error notifications. The incident involved the RansomEXX ransomware strain, which encrypted files with a '.K0N1M1N0' extension after attackers compromised the network, gained administrative privileges, and deployed encryption across devices. The ransomware operation appeared focused solely on encryption without evidence of data exfiltration at the time.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 30, 2020, Konica Minolta customers began reporting outages affecting the company’s product supply and support site, MyKMBS, which displayed a temporary unavailability message. The portal remained inaccessible for nearly a week, disrupting customer access to critical services and support resources. During this period, Konica Minolta advised users needing immediate assistance to contact their Global Customer Services via phone in the US or Canada but did not publicly disclose the cause of the outage. Customers expressed frustration over the lack of clear communication from the company regarding the incident’s origin. Concurrently, some Konica Minolta printers began displaying "Service Notification Failed" errors, prompting the company to update its outage notification with a link to a support document addressing the printer issue. BleepingComputer attempted to contact Konica Minolta multiple times via email and phone for clarification but received no response. Internal sources within the company later indicated to customers that the outage resulted from a security breach, though this was not officially confirmed by Konica Minolta at the time. The prolonged disruption impacted the company’s ability to deliver services to its global clientele, spanning printing solutions, healthcare technology, and managed IT services.
The attack was later identified as a ransomware incident involving the RansomEXX strain, following the emergence of a ransom note titled "!!KONICA_MINOLTA_README!!.txt" specifically targeting the company. Encrypted files on affected systems were appended with the ".K0N1M1N0" extension, confirming the ransomware’s execution. RansomEXX, a human-operated ransomware first documented in June 2020 during an attack on the Texas Department of Transportation, typically involves threat actors compromising a network, laterally moving to escalate privileges, and deploying ransomware after obtaining administrator credentials and domain controller access. The operation against Konica Minolta followed this pattern, though the ransom note did not reference data exfiltration, suggesting encryption as the primary impact at that stage. Konica Minolta’s public-facing communications focused solely on service restoration efforts, omitting details about the ransomware or remediation steps taken internally. The incident underscored the operational risks faced by large enterprises providing integrated technology services, particularly when critical customer portals and connected devices are compromised. Service disruptions lasted approximately six days before normal operations resumed, though the company did not disclose whether a ransom was paid or the total scope of affected systems.