Japanese multinational conglomerate Fujifilm said it has refused to pay a ransom demand to the cyber gang that attacked its network in Japan last week and is instead relying on backups to restore operations.
The company’s computer systems in the US, Europe, the Middle East and Africa are now “fully operational and back to business as usual”, a Fujifilm spokesperson told Verdict.
Fujifilm – once known for selling photographic film but now produces biotechnology, chemical and other digital imaging products – detected unauthorised access to its servers on 1 June.
On 4 June it confirmed a ransomware attack was affecting a “specific network” in Japan and that it shut down “all networks and server systems” while it investigated the “extent and scale” of the attack.
Fujifilm said it would not comment on the amount demanded by the ransomware gang. The company has started bringing its network, servers, and computers in Japan “back into operation” and is aiming to be fully up and running “this week”. It has also restarted some product deliveries, which were particularly hard hit by the cyberattack.
“Fujifilm Corporation in Tokyo does not comment on the demand but I can confirm we have not paid any ransom,” the Fujifilm spokesperson said.
When asked if the company has sufficient backups in place to restore from, the spokesperson said: “Fujifilm does have backups in place as a part of its normal operation procedure aligned with its policy.”
Jake Moore, cybersecurity specialist at internet security firm ESET, said refusing to pay a ransom is “not a decision to be taken lightly.”
Ransomware gangs often threaten to leak or sell sensitive data if payment is not made.
However, Fujifilm Europe said it is “highly confident that no loss, destruction, alteration, unauthorised use or disclosure of our data, or our customers’ data, on Fujifilm Europe’s systems has been detected.”
The spokesperson added: “From a European perspective, we have determined that there is no related risk to our network, servers and equipment in the EMEA region or that of our customers across EMEA. We presently have no indication that any of our regional systems have been compromised, including those involving customer data.”
It is not clear if the ransomware gang stole Fujifilm data from the affected network in Japan. Fujifilm declined to comment when asked if those responsible had threatened to publish data if the ransom is not paid.
According to security news site Bleeping Computer, Fujifilm was infected with the Qbot trojan last month. The group operating it is reportedly working with prolific ransomware-as-a-service gang REvil. However, Fujifilm told Verdict it hasn’t found any evidence that REvil is involved in the attack.
Last week the FBI said REvil ransomware, also known as Sodinokibi, was behind an attack on JBS, the world’s largest meat processor. JBS became fully operational again over the weekend.
Recent high-profile attacks such as the Colonial Pipeline hack have brought ransomware firmly into the spotlight of policymakers and law enforcement.
Last week the White House published an advisory urging private sector organisations to “take ransomware crime seriously” and ensure “corporate cyber defences match the threat.”
The US Department of Justice is also moving to give ransomware intelligence sharing a similar structure to anti-terrorism.
Ransomware continues to be a highly lucrative enterprise for cybercriminals. Ransom payments, made using the cryptocurrency bitcoin, can run into the millions.
According to Cybersecurity Ventures, the economic fallout caused by ransomware could cost $265bn globally by 2031.
Cybersecurity experts advise against paying the ransom demand because there is no guarantee that systems will be restored, or that stolen data won’t be sold anyway.
“Backup solutions are essential in any business, but when push comes to shove and all data becomes encrypted it takes confidence to refuse payment knowing the consequences could potentially be more damaging,” said Moore. “It is often said that paying a ransom can be cheaper or quicker. But it fuels the ransomware cycle – not to mention it remains immoral.”