‘Elden Ring’ Parent Company Hit With Ransomware Attack

Kadokawa Corporation, the parent company of Elden Ring publisher FromSoftware, revealed on Thursday that it was the victim of a ransomware attack earlier this month.

According to a Kadokawa press release shared by IGN, the attack took place on June 8 and targeted the companey’s servers in Japan. The focus of the attack, Kadokawa said, was services related to Niconico, a video-sharing application owned by Kadokawa.

“Kadokawa is currently considering solutions and workarounds quickly on a company-wide basis in order to normalize its systems and business activities,” the company said in a statement, which covered “the current status of the key businesses affected by the system failure, workarounds, and the progress of the investigation of information leakage.”

According to Kadokawa, all NicoNico family services are still suspended, which means users are also unable to log into external services using their NicoNico account. “Kadokawa will gradually restart its services as they become available,” the company said.

Launched in April 1945 as Kadokawa Shoten, Kadokawa founded FromSoftware in Tokyo, Japan, in 1986, releasing its first game, King’s Field, in 1994. Besides Elden Ring, FromSoftware is also known for Demon’s Souls (2009) and Dark Souls (2011).

It's unclear whether FromSoftware was affected by the attack. Kadokawa did not immediately respond to a request for comment from Decrypt.

Kadokawa’s report did not identify those responsible for the attack. A group known as “Black Suit,” however, has reportedly taken credit. According to a 2023 report by Techcrunch, Black Suit, then called “Royal,” had by then made off with over $275 million in ransoms.

According to a statement posted on the open-source ransomware tracking website RansomLook, Black Suit apparently detailed the information it had collected, including employee information, contracts, and project code.

“Our team gained access to the Kadokawa network almost a month ago,” Black Suit reportedly wrote. “It took some time, because of the language, to figure out that Kadokawa subsidiaries' networks were connected to each other and to get through all the mess Kadokawa's IT department made there.”

Once the group gained access to Kadokawa’s control center, they allegedly encrypted the whole network—including the systems of Dwango, NicoNico, Kadokawa, and other subsidiaries—while downloading around 1.5 terabytes of data.

“Kadokawa’s IT department detected our presence within the network three days before we had encrypted the network,” Black Suit allegedly wrote. “Admins tried to kick us out from the network, one of our server IPs was blocked, they have tried to change admin credentials, but we have managed to set undetectable access to the network.”

Calling their actions “hacktivism,” Black Suit reportedly said it would help improve Kadokawa’s network security “for a fee,” setting a one-week deadline before threatening to release all the data it stole on July 1.

Made famous by groups including Anonymous, LulzSec, and the Chaos Computer Club, hacktivism is the act of hacking or breaking into a computer system for a purported politically or socially motivated purpose. In this case, however, profit appears to be a prime motivator.

“Details of the private lives of many Japanese citizens are now at the mercy of the Kadokawa Group's management,” Black Suit reportedly said. “It is much easier for a company like Kadokawa to just pay the bills and move on.”

Kadokawa said the company is investigating the attack with the support of “external professional organizations” and apologized for the significant inconvenience and trouble caused by the attack and subsequent system failure.

While Kadokawa and Black Suit did not specify what type of payment the attackers demanded, ransomware attacks typically involve demands of Bitcoin, Monero, or other cryptocurrencies with the promise of decrypting files that the attack encrypted or not releasing sensitive information online.

In December, Sony revealed Insomniac Games had been the victim of a ransomware attack. The Rhysida hacker group claimed responsibility and demanded 50 Bitcoin, around $2 million at the time, for the return of the stolen information.

Insomniac Games confirmed that sensitive current and former employee data, as well as contractor data, were stolen in the attack, along with details about its upcoming Wolverine game, based on the Marvel superhero.

“We’re both saddened and angered about the recent criminal cyberattack on our studio and the emotional toll it’s taken on our dev team,” Insomniac Games shared on Twitter at the time. “We are working quickly to determine what data was impacted. This experience has been extremely distressing for us.”

Edited by Ryan Ozawa.