ZACROS Ransomware Nightmare: 157K Personal Records Exposed in Major Data Breach

ZACROS Ransomware Nightmare: 157K Personal Records Exposed in Major Data Breach

March 9, 2025

In January 2025, packaging giant ZACROS Corporation was hit by a ransomware attack that may have compromised over 157,000 personal records.

Incident

In January 2025, ZACROS Corporation (formerly Fujimori Kogyo Co., Ltd.), a leading packaging materials manufacturer, revealed that it had suffered a ransomware attack potentially exposing approximately 157,203 pieces of personal information.

Overview of the Attack
On September 14, 2024, the company confirmed that a ransomware attack had encrypted several servers critical to its production management and core business systems. A task force was immediately formed to assess the breach, investigate potential data leakage, and initiate recovery measures with support from external experts.

Details of the Leaked Information

Affected Parties:

  1. Business Partners and Associates: Approximately 143,718 individuals may have had their names, company affiliations, titles, business addresses, telephone numbers, and business email addresses compromised.
  2. Company Executives, Employees, and Their Families: For roughly 13,485 individuals, sensitive data such as names, addresses, telephone numbers, dates of birth, gender, basic pension numbers, insurer numbers, and national identification numbers may have been exposed.

Attackers' Claims
The cybercriminal group known as Argonauts has declared that they have stolen 140 GB of data from ZACROS. According to their website, they are selling the data after the company reportedly refused to pay the ransom. However, the accuracy of these claims has yet to be independently verified.

Company Response and Future Prevention Measures
Upon discovering the breach, ZACROS promptly reported the incident to the appropriate authorities. The company is collaborating with external experts to determine the full extent of the damage and has committed to taking robust measures to prevent future attacks. These measures include:

  1. Enhancing overall security protocols and infrastructure.
  2. Strengthening employee cybersecurity training to mitigate human error.
  3. Implementing stricter network monitoring and incident response strategies.

Conclusion
The ransomware attack on ZACROS has potentially resulted in a significant data breach affecting business partners, employees, and their families. As cyber threats continue to escalate, the incident serves as a stark reminder for companies to prioritize information security and ensure robust defenses against future attacks.

Result

No ransom paid, but sensitive data is now a global liability.

Note: This is not a win. While no ransom was paid, the data has still been leaked, posing a direct risk to global supply chains. Internationally, data exposure is often more damaging than the ransom itself, yet Japanese companies fail to recognize this. Worse, many organizations attempt to downplay or obscure the extent of their breaches, rather than addressing the core issue. Japan must recognize this failure.

MITRE ATT&CK Analysis

Tactic Technique Description Evidence in ZACROS Case
Initial Access T1566.001 (Phishing: Spearphishing Attachment) Attackers send malicious emails with infected attachments to gain an entry point. Possible Attack Vector: No direct evidence, but common ransomware initial access method.
Initial Access T1078.004 (Valid Accounts: Cloud Accounts) Use of compromised legitimate credentials to access internal systems. Possible Attack Vector: No confirmation, but valid accounts may have been abused.
Execution T1204.002 (User Execution: Malicious File) Malware requires user interaction (e.g., opening a file or running a script). Possible, but not confirmed by ZACROS.
Execution T1059.001 (Command and Scripting Interpreter: PowerShell) Attackers use PowerShell for executing commands. Possible, if system admin scripts were abused.
Persistence T1543.003 (Create or Modify System Process: Windows Service) Attackers create or modify a Windows service to maintain access. Possible if ransomware established persistence.
Persistence T1078 (Valid Accounts) Use of stolen credentials to maintain access. Possible, but ZACROS did not confirm.
Privilege Escalation T1068 (Exploitation for Privilege Escalation) Exploiting vulnerabilities to gain higher privileges. Not confirmed, but possible.
Defense Evasion T1562.001 (Disable or Modify Tools: Disable Security Tools) Attackers disable antivirus or security software. Possible, but no confirmation from ZACROS.
Defense Evasion T1486 (Data Encrypted for Impact) Files are encrypted to prevent normal operations. Confirmed: Production and core business servers were encrypted.
Credential Access T1555.003 (Credential Dumping: Windows Credentials) Attackers extract credentials from system memory or databases. Possible, but no confirmation.
Discovery T1083 (File and Directory Discovery) Attackers scan for critical files before encryption. Highly Likely: Sensitive data was targeted.
Discovery T1018 (Remote System Discovery) Attackers map internal networks. Possible, but no confirmation.
Lateral Movement T1021.001 (Remote Services: Remote Desktop Protocol) Attackers move laterally using RDP. Possible, but no confirmation.
Collection T1560 (Archive Collected Data) Attackers compress and prepare stolen data. Confirmed: 140GB of data was stolen, meaning attackers collected and exfiltrated information.
Exfiltration T1041 (Exfiltration Over C2 Channel) Data sent to external command & control servers. Confirmed: Attackers claim data was stolen and sold.
Impact T1486 (Data Encrypted for Impact) Files encrypted to disrupt operations. Confirmed: Systems were locked.
Impact T1490 (Inhibit System Recovery) Attackers delete backups to prevent recovery. Possible, but ZACROS had backup systems.

Disclosure Timeline

  1. https://ssl4.eir-parts.net/doc/7917/ir_material3/237332/00.pdf
  2. https://ssl4.eir-parts.net/doc/7917/ir_material9/237327/00.pdf
  3. https://ssl4.eir-parts.net/doc/7917/tdnet/2505075/00.pdf
  4. https://ssl4.eir-parts.net/doc/7917/tdnet/2512288/00.pdf
  5. https://ssl4.eir-parts.net/doc/7917/tdnet/2536201/00.pdf
  6. https://ssl4.eir-parts.net/doc/7917/tdnet/2546617/00.pdf

Reference

Official Website: https://www.zacros.co.jp/

  1. https://ssl4.eir-parts.net/doc/7917/ir_material3/237332/00.pdf
  2. https://ssl4.eir-parts.net/doc/7917/ir_material9/237327/00.pdf
  3. https://ssl4.eir-parts.net/doc/7917/tdnet/2505075/00.pdf
  4. https://ssl4.eir-parts.net/doc/7917/tdnet/2512288/00.pdf
  5. https://ssl4.eir-parts.net/doc/7917/tdnet/2536201/00.pdf
  6. https://ssl4.eir-parts.net/doc/7917/tdnet/2546617/00.pdf
  7. https://attack.mitre.org/

Related Pages

Tutorial Series

threat-actor-img

🇯🇵🎣 Phishing Fraud Cases in Japan (2025)
a large-scale cyberattack (DDoS) targeting NTT Docomo

🇯🇵💥Japan DDoS Cases 2025
情報漏洩_4fcefcdf

🇯🇵🔓Japan Data Breach Cases 2025 | Major Data Leaks, Cyber Attacks, and Countermeasures
情報漏洩_b2998e9f

🇯🇵🔓Major Data Breaches in Japan 2024 | Key Incidents, Cyber Attacks, and Countermeasures
global law enforcement agencies collaborating to dismantle cyber threats in 2024

🌍🚫 Global Takedown Cases (2024)
ransomware-category-img_badf6112

🇯🇵💰Ransomware Cases in Japan 2025

Category

phishing-site-img.format-webp

🎣 Phishing
a large-scale cyberattack (DDoS) targeting NTT Docomo

💥DDoS
情報漏洩_7f512ea9

🔓Data Breach
multiple government agencies taking down a cybercrime network

🚫 Takedown
ransomware-category-img_7d329041

💰Ransomware