Incidents & Vulnerabilities
KADOKAWA / Niconico Ransomware (2024) — Why It Spread Company-Wide, and Network Segmentation & BCP
In June 2024, KADOKAWA was hit by ransomware: many services were down for months and ~250,000 people's data leaked. The way in was phishing; it spread company-wide because systems of different criticality shared one network — no segmentation. Defend by hardening the entry, segmenting the network, and preparing BCP.
We read real, public breaches not as replayed news but as "how do you defend against this?" This article is based on the public record (company statements, reputable reporting). Sources are listed at the end; no attack how-to and no identifying details of any individual are included.
- Target
- KADOKAWA group internal systems and personal data of associates, students and employees (operator: KADOKAWA Corporation / Dwango, etc.)
- Detected
- Early hours of 8 June 2024 (group-service outages noticed; services halted that day)
- Pattern
- Phishing of an employee to steal credentials → entry into the internal network → ransomware execution and data theft (double extortion)
- Scale
- ~250,000 people's personal data leaked; many services including Niconico down for months, with knock-on effects on publishing and distribution
- Root cause
- Credential theft via phishing + systems of different criticality on one network (no segmentation) letting it spread company-wide + weak containment and business-continuity readiness
- Real fix
- Phishing-resistant authentication (MFA, passkeys); network segmentation + least privilege; business continuity (BCP), backups and recovery drills
What happened (in plain terms)
Ransomware encrypts an organization's systems for ransom and, increasingly, also threatens to publish stolen data. At KADOKAWA, the first way in was phishing aimed at an employee. A fake login and the like stole credentials, which were used to enter the internal network.
But what made this incident so large wasn't the entry — it was the spread. The video service, publishing core systems, school systems, the corporate site — systems of very different criticality and purpose reportedly shared the same network. With no dividers, a breach in one place cascaded across everything. As a result, many services including Niconico were down for months, with effects on publishing and distribution. More than the intrusion itself, one flat, unsegmented network widened the damage to company scale.
Segment your network like a ship's watertight compartments
Large ships divide the hull into watertight compartments. If one is breached and floods, it's contained there — the ship doesn't sink. Networks are the same: split systems of different criticality and role into separate zones (segments) and limit cross-zone traffic, and one compromise can be stopped there. Put everything on one network and a single hole floods the whole thing.
The attack chain is also a defense map
This was a chain with a place to stop it at every step. Read it as where it could have been broken, not as a how-to.
1. Phishing steals an employee's credentials
A fake login and the like took a staff member's ID and password.
Stop: phishing-resistant auth (MFA, passkeys); anti-phishing
2. Credentials used to enter the internal network
The stolen credentials opened the way inside.
Stop: multi-factor authentication; access control; suspicious-login detection
3. No segmentation — damage spread company-wide
Different-criticality systems shared one network and it cascaded.
Stop: network segmentation; isolate by criticality; least privilege
4. Long business outage, data leaked (double extortion)
Major services were down for months and stolen data was published.
Stop: business continuity (BCP); backups + recovery drills; don't rely on paying
Published timeline
2024-06-08
In the early hours, group services including Niconico go down; the operator (Dwango) halts affected services and begins maintenance.2024-06
Confirmed as a ransomware attack. Even after remotely shutting servers down, the attacker restarted them to keep spreading, so power and communication cables were physically disconnected to contain it.2024-07
A group calling itself BlackSuit claims responsibility and leaks data (double extortion). KADOKAWA discloses the situation in stages.2024-08-05
Investigation results disclosed: ~250,000 people's data (students, guardians, employees, associates). The cause is described as phishing of an employee. Recovery of major services progresses.2024-08–10
Staged recovery (corporate site and book-related in August; Niconico and portals in October). Broad recovery took several months.
The root cause wasn't only the "entry" — it was the spread
Writing this off as "they got phished" misses the point. The entry should be closed, but what matters is whether damage stays localized once inside — that is, segmentation and business continuity.
The setup that failed
- Staff authentication broken by phishing (weak multi-factor wall)
- Systems of different criticality on one network (no segmentation)
- A structure where one compromise cascaded across everything
- Insufficient business-continuity readiness for a long outage
The setup that holds
- Phishing-resistant authentication (MFA, passkeys) hardens the entry
- Network segmentation by criticality, plus least privilege
- Contain a compromise in its zone; prevent company-wide spread
- BCP, backups and recovery drills for a long outage
A ransom is no substitute for a business-continuity plan
Ransom payment gets the headlines, but paying guarantees neither recovery nor that the leak stops (reporting notes cases where, even when a ransom was said to be paid, data was not fully recovered). What you rely on is not payment but network segmentation, backups and a business-continuity plan (BCP) done up front. Deciding "how the business continues and recovers if core systems are down for weeks or months" in calm times is what leaves you options in a crisis. (Related: the old-VPN-device entry in the Capcom incident.)
How you defend against this
Ransomware targets organizations of every size. In priority order:
Harden the entry (phishing-resistant authentication)
The first way in is often phishing. Give staff multi-factor authentication, and where you can a phishing-resistant method like passkeys, so a stolen password from a fake login doesn't get anyone in.
Segment the network by criticality
Split systems of different criticality and role — video, publishing, school, corporate — into separate zones, and limit cross-zone traffic. If one is compromised, stop it there. Build it into your organizational security baseline.
Prepare business continuity (BCP), backups and recovery
Decide in calm times "how the business continues and recovers if core systems are down for a long time." Keep offline / versioned backups and rehearse recovery. Assume paying won't guarantee recovery.
Have the means to contain a compromise fast
Be able to isolate a zone quickly and stop the spread (monitoring, EDR, procedures). With segmentation in place, containment is faster and more effective.
Where this overlaps with how this site is built
At its core, this incident put everything on one network, and one compromise cascaded across the whole company. That is the mirror image of this site's own principles — shrink the blast radius, isolate what matters, and defend in layers. An unsegmented network carries the same danger as one API key that reaches all data, or a single point of failure. "Harden the entry, divide by criticality, and prepare to keep running even when something stops" is a defense anyone can implement at any scale.
Sources (public record)
The facts here are based on the following public information. No attack how-to and no identifying details of any individual are included — only the defensive lessons.
- KADOKAWA Corporation / Dwango official statements (notices on the ransomware attack and data leak, 2024) — group.kadokawa.co.jp
- Contemporary reporting (entry via phishing, the network-segmentation issue, and the recovery timeline, 2024), based on the primary disclosures
Read next
- Glossary: what ransomware is (how it works, and defending to say "no") / what phishing is (cut off the first way in)
- Practice: backup essentials (the 3-2-1 rule) / the organizational security baseline (segmentation, least privilege)
- Case: the Capcom ransomware attack (2020) (an old VPN device and double extortion — a different angle)
FAQ
QWhy did the KADOKAWA breach spread company-wide?
Systems of very different criticality and purpose — the Niconico video service, publishing core systems, school systems, the corporate site — shared the same network and weren't properly segmented. With no internal dividers, a breach in one place cascaded across the whole group. The entry point was phishing that stole an employee's credentials.
QWhat does it mean to 'segment' a network, and why does it help?
It means splitting systems of different criticality and role into <strong>separate zones (segments)</strong> and limiting the traffic that crosses between them. Like a ship's watertight compartments, if one zone floods it can be <strong>contained there.</strong> When segmented, one compromised server doesn't easily spread to other zones. Shrinking the 'blast radius' is a basic, powerful defense.
QCan a smaller org learn from this?
Yes: (1) put your important systems on a different network / privilege boundary from the rest; (2) use phishing-resistant authentication (MFA, passkeys) for staff; (3) have a plan for 'how the business continues if core systems are down for a long time' (BCP), plus backups and recovery drills; (4) assume paying a ransom won't guarantee recovery. Even at a small scale, putting everything on one flat network carries the same danger.