Cyber Incident Victim: Yaskawa Electric Corporation
Date:
Aug 2020
Location:
Japan
Summary
The Yaskawa Electric Corporation fell victim to a ransomware attack by the LockBit group, which exfiltrated proprietary data including purchase records, bank account details, and technical product information. LockBit publicly threatened the company on a dark web forum, demanding ransom under the alias "BETTER PAY," and later published the stolen data on their dedicated blog as intimidation. The group faced operational challenges, with an affiliate alleging technical failures in encryption and decryption processes that potentially enabled victims to recover files without paying. While LockBit's data leak was confirmed, the effectiveness of their file encryption remained uncertain, suggesting possible deficiencies in their ransomware execution despite successful data theft for extortion purposes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 22, 2020, an actor using the alias "BETTER PAY" posted a ransom demand targeting Yaskawa Electric Corporation on a Russian-language dark web forum. The post included a seven-day deadline for payment and featured a screenshot of files and folders with Japanese text, purportedly from Yaskawa's systems. The account used for this post was registered the same day, indicating it was likely created solely for this extortion attempt. This initial threat did not specify the exact nature of the compromised data but served as a public warning to pressure the company into compliance.
LockBit, a ransomware group operating on Russian-language dark web forums, escalated the incident on September 14, 2020, by launching a dedicated blog and publishing Yaskawa’s stolen data alongside another victim’s information. The leaked Yaskawa database contained proprietary records, including purchase histories, bank account details, technical product specifications, and internal corporate documents. Concurrently, LockBit used its forum presence to recruit affiliates, employing near-identical posts across multiple dark web platforms to expand its operations. A separate cybercriminal, "wexford," publicly criticized LockBit in early September 2020, alleging technical failures in the group’s encryption and decryption processes during prior attacks. wexford claimed these flaws enabled some victims to restore systems without paying ransoms by relying on backups or network redundancies. While Yaskawa’s data was publicly exposed, the effectiveness of LockBit’s encryption against the company’s infrastructure remained unverified. The group’s decision to release the data freely suggested a possible failure to fully disrupt Yaskawa’s operations through encryption, though no confirmation of decryption issues or ransom payment outcomes was disclosed. The incident exposed Yaskawa to potential financial, operational, and reputational risks due to the theft of sensitive corporate and customer information.