Skip to content
>_ITDITDWeb Security Platform

Incidents & Vulnerabilities

KADOKAWA / Niconico Ransomware (2024) — Why It Spread Company-Wide, and Network Segmentation & BCP

In June 2024, KADOKAWA was hit by ransomware: many services were down for months and ~250,000 people's data leaked. The way in was phishing; it spread company-wide because systems of different criticality shared one network — no segmentation. Defend by hardening the entry, segmenting the network, and preparing BCP.

Published 2026-07-07 Updated 2026-07-07 9 min read

We read real, public breaches not as replayed news but as "how do you defend against this?" This article is based on the public record (company statements, reputable reporting). Sources are listed at the end; no attack how-to and no identifying details of any individual are included.

~250,000
People whose data leaked
Phishing
Stolen employee credentials as the way in
Months down
Niconico and more offline for months
No segmentation
Different-criticality systems on one network
Case file
Target
KADOKAWA group internal systems and personal data of associates, students and employees (operator: KADOKAWA Corporation / Dwango, etc.)
Detected
Early hours of 8 June 2024 (group-service outages noticed; services halted that day)
Pattern
Phishing of an employee to steal credentials → entry into the internal network → ransomware execution and data theft (double extortion)
Scale
~250,000 people's personal data leaked; many services including Niconico down for months, with knock-on effects on publishing and distribution
Root cause
Credential theft via phishing + systems of different criticality on one network (no segmentation) letting it spread company-wide + weak containment and business-continuity readiness
Real fix
Phishing-resistant authentication (MFA, passkeys); network segmentation + least privilege; business continuity (BCP), backups and recovery drills

What happened (in plain terms)

Ransomware encrypts an organization's systems for ransom and, increasingly, also threatens to publish stolen data. At KADOKAWA, the first way in was phishing aimed at an employee. A fake login and the like stole credentials, which were used to enter the internal network.

But what made this incident so large wasn't the entry — it was the spread. The video service, publishing core systems, school systems, the corporate site — systems of very different criticality and purpose reportedly shared the same network. With no dividers, a breach in one place cascaded across everything. As a result, many services including Niconico were down for months, with effects on publishing and distribution. More than the intrusion itself, one flat, unsegmented network widened the damage to company scale.

Segment your network like a ship's watertight compartments

Large ships divide the hull into watertight compartments. If one is breached and floods, it's contained there — the ship doesn't sink. Networks are the same: split systems of different criticality and role into separate zones (segments) and limit cross-zone traffic, and one compromise can be stopped there. Put everything on one network and a single hole floods the whole thing.

The attack chain is also a defense map

This was a chain with a place to stop it at every step. Read it as where it could have been broken, not as a how-to.

1. Phishing steals an employee's credentials

A fake login and the like took a staff member's ID and password.

Stop: phishing-resistant auth (MFA, passkeys); anti-phishing

2. Credentials used to enter the internal network

The stolen credentials opened the way inside.

Stop: multi-factor authentication; access control; suspicious-login detection

3. No segmentation — damage spread company-wide

Different-criticality systems shared one network and it cascaded.

Stop: network segmentation; isolate by criticality; least privilege

4. Long business outage, data leaked (double extortion)

Major services were down for months and stolen data was published.

Stop: business continuity (BCP); backups + recovery drills; don't rely on paying

Every step had a stop. Defense-in-depth means holding several of these stops, not one wall.

Published timeline

  1. 2024-06-08

    In the early hours, group services including Niconico go down; the operator (Dwango) halts affected services and begins maintenance.
  2. 2024-06

    Confirmed as a ransomware attack. Even after remotely shutting servers down, the attacker restarted them to keep spreading, so power and communication cables were physically disconnected to contain it.
  3. 2024-07

    A group calling itself BlackSuit claims responsibility and leaks data (double extortion). KADOKAWA discloses the situation in stages.
  4. 2024-08-05

    Investigation results disclosed: ~250,000 people's data (students, guardians, employees, associates). The cause is described as phishing of an employee. Recovery of major services progresses.
  5. 2024-08–10

    Staged recovery (corporate site and book-related in August; Niconico and portals in October). Broad recovery took several months.

The root cause wasn't only the "entry" — it was the spread

Writing this off as "they got phished" misses the point. The entry should be closed, but what matters is whether damage stays localized once inside — that is, segmentation and business continuity.

The setup that failed

  • Staff authentication broken by phishing (weak multi-factor wall)
  • Systems of different criticality on one network (no segmentation)
  • A structure where one compromise cascaded across everything
  • Insufficient business-continuity readiness for a long outage

The setup that holds

  • Phishing-resistant authentication (MFA, passkeys) hardens the entry
  • Network segmentation by criticality, plus least privilege
  • Contain a compromise in its zone; prevent company-wide spread
  • BCP, backups and recovery drills for a long outage

A ransom is no substitute for a business-continuity plan

Ransom payment gets the headlines, but paying guarantees neither recovery nor that the leak stops (reporting notes cases where, even when a ransom was said to be paid, data was not fully recovered). What you rely on is not payment but network segmentation, backups and a business-continuity plan (BCP) done up front. Deciding "how the business continues and recovers if core systems are down for weeks or months" in calm times is what leaves you options in a crisis. (Related: the old-VPN-device entry in the Capcom incident.)

How you defend against this

Ransomware targets organizations of every size. In priority order:

1

Harden the entry (phishing-resistant authentication)

The first way in is often phishing. Give staff multi-factor authentication, and where you can a phishing-resistant method like passkeys, so a stolen password from a fake login doesn't get anyone in.

2

Segment the network by criticality

Split systems of different criticality and role — video, publishing, school, corporate — into separate zones, and limit cross-zone traffic. If one is compromised, stop it there. Build it into your organizational security baseline.

3

Prepare business continuity (BCP), backups and recovery

Decide in calm times "how the business continues and recovers if core systems are down for a long time." Keep offline / versioned backups and rehearse recovery. Assume paying won't guarantee recovery.

4

Have the means to contain a compromise fast

Be able to isolate a zone quickly and stop the spread (monitoring, EDR, procedures). With segmentation in place, containment is faster and more effective.

Where this overlaps with how this site is built

At its core, this incident put everything on one network, and one compromise cascaded across the whole company. That is the mirror image of this site's own principles — shrink the blast radius, isolate what matters, and defend in layers. An unsegmented network carries the same danger as one API key that reaches all data, or a single point of failure. "Harden the entry, divide by criticality, and prepare to keep running even when something stops" is a defense anyone can implement at any scale.

Sources (public record)

The facts here are based on the following public information. No attack how-to and no identifying details of any individual are included — only the defensive lessons.

  • KADOKAWA Corporation / Dwango official statements (notices on the ransomware attack and data leak, 2024) — group.kadokawa.co.jp
  • Contemporary reporting (entry via phishing, the network-segmentation issue, and the recovery timeline, 2024), based on the primary disclosures

FAQ

QWhy did the KADOKAWA breach spread company-wide?
A

Systems of very different criticality and purpose — the Niconico video service, publishing core systems, school systems, the corporate site — shared the same network and weren't properly segmented. With no internal dividers, a breach in one place cascaded across the whole group. The entry point was phishing that stole an employee's credentials.

QWhat does it mean to 'segment' a network, and why does it help?
A

It means splitting systems of different criticality and role into <strong>separate zones (segments)</strong> and limiting the traffic that crosses between them. Like a ship's watertight compartments, if one zone floods it can be <strong>contained there.</strong> When segmented, one compromised server doesn't easily spread to other zones. Shrinking the 'blast radius' is a basic, powerful defense.

QCan a smaller org learn from this?
A

Yes: (1) put your important systems on a different network / privilege boundary from the rest; (2) use phishing-resistant authentication (MFA, passkeys) for staff; (3) have a plan for 'how the business continues if core systems are down for a long time' (BCP), plus backups and recovery drills; (4) assume paying a ransom won't guarantee recovery. Even at a small scale, putting everything on one flat network carries the same danger.