Cyber Incident Victim: Yamabiko
Date:
May 2021
Location:
Japan
Summary
The Babuk ransomware group claimed responsibility for compromising a major Japanese power tool and machinery manufacturer, alleging theft of 0.5 terabytes of sensitive data including employee personal information, financial reports, technical schematics, and proprietary design files. Screenshots of accessed systems and branded documents were published, though the victim did not officially confirm the breach. The attackers reportedly exploited a VPN zero-day vulnerability, consistent with broader trends of VPN exploitation targeting Japanese entities. Babuk's resurgence through this incident contradicted prior claims of ceasing operations, opting for data theft over encryption-based disruption. Historical reluctance of Japanese firms to engage in ransom negotiations, exemplified by unrelated prior incidents, suggested potential challenges for extortion efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 23, 2021, the Babuk ransomware group claimed responsibility for a cyberattack against Yamabiko Corporation, a major Japanese manufacturer of power tools, agricultural machinery, and outdoor power equipment. Babuk listed Yamabiko on its data leak portal, asserting it had exfiltrated approximately 0.5 terabytes of sensitive corporate data. The stolen information included filesystem screenshots, Solidworks design files, employee personal data, financial reports, product testing diagrams, and circuit schematics. Babuk provided samples of the allegedly stolen data, some displaying Yamabiko letterheads or branding associated with its subsidiaries Kioritz, Shindaiwa, and Echo. Yamabiko Corporation, formed through a 2008 merger, maintained over 3,000 employees and reported annual revenues exceeding $1 billion USD at the time of the incident. Despite Babuk’s claims and supporting evidence, Yamabiko did not publicly acknowledge the breach or confirm the compromise of its systems. The company’s website remained accessible during this period, though observers noted it appeared characteristically slow—a condition unrelated to the attack since Babuk had previously announced it would cease encrypting victim networks and focus exclusively on data theft and extortion.
The incident marked Babuk’s first publicly claimed attack following contradictory statements about ceasing operations, confirming the group’s continued activity. Babuk representatives stated in interviews that they exploited a zero-day vulnerability in VPN software to infiltrate Yamabiko’s network, aligning with broader trends of ransomware actors targeting VPN infrastructure in Japan. The attack’s primary impact centered on data exposure risks rather than operational disruption, as no encryption or system downtime occurred. Industry analysts highlighted the potential financial significance of the breach given Yamabiko’s revenue scale and the sensitive nature of stolen intellectual property, including proprietary engineering designs. No ransom demands or negotiation details were disclosed publicly. Observers noted Japanese firms’ historical reluctance to engage with ransomware actors, citing Capcom’s 2020 refusal to negotiate with the Ragnar Locker group as precedent. Yamabiko maintained operational continuity throughout the incident, with no subsequent reports of data leaks or further communications from Babuk regarding this specific case.