CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Muji online sales disrupted by Askul ransomware attack

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

Muji, a Japanese retail company, halted online sales and services due to a ransomware attack on its delivery partner, Askul. The attack occurred on Sunday, October 19, 2025, affecting all retail services, including browsing, purchasing, and order histories. Muji is investigating the impact on shipments and notifying affected customers. Askul, a logistics and e-commerce company, confirmed the ransomware infection, which caused operational disruptions, including suspended order and shipping operations. The attack impacted Muji's Japan sales only, with no reports of ransomware gangs claiming responsibility until RansomHouse claimed responsibility in December. Askul has confirmed the theft of approximately 740,000 customer records, including business customer service data, individual customer service data, business partners, and executives and employees. The company has notified the Personal Information Protection Commission and is working to restore systems. This incident follows a similar ransomware attack on Asahi, Japan’s largest beer producer, which also experienced production and launch delays.

Timeline

  1. 16.12.2025 01:13 1 articles · 23h ago

    Askul confirms theft of 740k customer records by RansomHouse

    Askul has confirmed the theft of approximately 740,000 customer records, including business customer service data, individual customer service data, business partners, and executives and employees. The attack was claimed by the RansomHouse extortion group, which initially disclosed the breach on October 30 and followed up with two data leaks on November 10 and December 2. The company has notified the Personal Information Protection Commission and is working to restore systems. As of December 15, order shipping continues to be impacted, and the company is still working to fully restore systems.

    Show sources
    Open in new tab
  2. 20.10.2025 21:45 2 articles · 1mo ago

    Muji's online sales disrupted by Askul ransomware attack

    On Sunday, October 19, 2025, Muji experienced a logistics outage due to a ransomware attack on its delivery partner, Askul. The attack affected all retail services, including online browsing, purchasing, and order histories. Muji is investigating the impact on shipments and notifying affected customers. Askul confirmed the ransomware infection, leading to suspended order and shipping operations. The disruption is limited to Muji’s Japan sales, with no ransomware gangs claiming responsibility initially.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Motility Software Solutions Ransomware Attack Exposes 766,000 Client Records

Motility Software Solutions, a provider of dealer management software (DMS), experienced a ransomware attack on August 19, 2025. The incident exposed the sensitive data of 766,000 customers. The compromised data includes full names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, and driver’s license numbers. The attack affected 7,000 dealerships across the United States. The company has implemented additional security measures, restored systems from backups, and established dark web monitoring. No ransomware group has claimed responsibility for the attack. Motility has offered a year of free identity monitoring services to affected individuals.

Open in new tab

Asahi Group Holdings Suffers Cyberattack Disrupting Japanese Operations

Asahi Group Holdings, Ltd., Japan's largest brewer, has confirmed a ransomware attack that began on September 29, 2025, and has disrupted operations in Japan. The incident has affected ordering, shipping, customer service activities, and production at some of its 30 domestic factories. The company has confirmed data theft from compromised devices and is working to restore impacted operations. The attack has not affected operations outside of Japan, and no ransomware group has claimed responsibility. Asahi has established an Emergency Response Headquarters and is collaborating with external cybersecurity experts to restore the system. The company has begun partial manual order processing and shipment and aims to gradually resume call center operations. The potential impact on Asahi’s financial results for fiscal year 2025 is under review. Asahi Group Holdings is investigating the source of the disruption and working to restore impacted operations. The company operates four regional branches and holds significant market share in Japan and internationally. The nature of the cyberattack is confirmed as ransomware, which has led to system failures affecting orders, shipments, and call center operations at all subsidiaries in Japan.

Open in new tab

Akira Ransomware Group Disables KNP Logistics Group with Weak Password Exploit

The Akira ransomware group successfully breached KNP Logistics Group (formerly Knights of Old) in June 2025. The attackers exploited a weak employee password to gain access to the company's internet-facing systems. Once inside, they deployed ransomware, encrypted critical data, and destroyed backups, leading to the company's collapse. The incident resulted in the loss of 700 jobs and significant economic impact in Northamptonshire. The attack underscores the critical importance of strong password policies and multi-factor authentication (MFA) in preventing ransomware attacks. The breach highlights the persistent risk posed by weak passwords, with 45% of compromised passwords crackable within a minute. The attack also demonstrates the broader consequences of ransomware attacks, including job losses and economic disruption.

Open in new tab

Akira and Cl0p Lead Most Active Ransomware-as-a-Service Groups in 2025

The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024. Akira and Cl0p are the most active ransomware-as-a-service (RaaS) groups, targeting manufacturing, technology, and the US. The RaaS model enables lower-skilled actors to launch attacks, contributing to the surge. New tactics include pure extortion, AI-assisted phishing, and exploitation of SonicWall SSL VPN vulnerabilities. Akira has targeted SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and misconfigurations, leading to increased threat activity and unauthorized access. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of vulnerable Australian organizations through SonicWall devices. The recent increase in exploitation of CVE-2024-40766 has been linked to incomplete remediation and misconfigurations, with SonicWall advising immediate patching and security measures. Over the past three months, Akira ransomware attacks have led to a surge in the exploitation of CVE-2024-40766, an improper access control issue in SonicWall firewalls. Akira operators are targeting SSL VPN accounts that use a one-time password (OTP) as the multi-factor authentication (MFA) option. Arctic Wolf observed dozens of incidents tied to VPN client logins from VPS hosting providers, network scanning, Impacket SMB activity, and Active Directory discovery. Akira's dwell times are among the shortest recorded for ransomware, measured in hours. Akira affiliates leveraged pre-installed and legitimate utilities to evade detection, using the Datto RMM tool on a domain controller to execute a PowerShell script and gain full control over the server. The attackers modified registries to evade detection, turned off security features, and dropped various files, including scripts that modified firewall rules. The earliest activity connected to the Akira ransomware campaign began in mid-July 2025, with similar malicious VPN logins tracked back to October 2024. The campaign remains active, with attacks consistent since July 2025, showing a slight decrease around the end of August and early September, and picking up pace again around the end of September 2025. A range of SonicWall devices, including NSA and TZ series devices running versions of SonicOS 6 and 7, have been targeted. SonicOS firmware versions 6.5.5.1-6n, 7.0.1-5065, 7.0.1-5119, 7.1.2-7019, 7.1.3-7015, and 7.3.0-7012 are vulnerable, as well as hardware models NSa 2600, NSa 2700, NSa 4650, NSa 5700, TZ370, and TZ470. The campaign may trace back to earlier exploitation of CVE-2024-40766, impacting SonicOS 5, 6, and 7, with credentials stolen from vulnerable firewalls possibly carried forward to newer SonicOS versions. Arctic Wolf Labs observed intrusions affecting devices running SonicOS 7.3.0 and even more recent versions, such as 8.0.2. Arctic Wolf Labs recommends monitoring for VPN logins from untrusted hosting infrastructure, maintaining visibility into internal networks, and monitoring for anomalous SMB activity indicative of Impacket use. In June 2025, Akira ransomware expanded its encryption capabilities to target Nutanix AHV virtual machines, encrypting .qcow2 disk files. Akira threat actors have been observed using utilities such as nltest, AnyDesk, LogMeIn, Impacket's wmiexec.py, and VB scripts for reconnaissance, lateral movement, and persistence. Akira has exfiltrated data in as little as two hours during some attacks. Akira has used tunneling tools such as Ngrok to establish encrypted command-and-control channels. Akira has exploited CVE-2023-27532 and CVE-2024-40711 vulnerabilities on unpatched Veeam Backup & Replication servers to gain access and delete backups. Akira has been observed copying VMDK files from domain controller VMs to extract NTDS.dit files and SYSTEM hives for domain administrator access. Akira ransomware has claimed approximately $244.17m in ransomware proceeds since late September 2025. Akira threat actors have been observed exfiltrating data in just over two hours from initial access in some incidents. Akira ransomware operators have demonstrated a significant evolution in their tactics by encrypting Nutanix AHV virtual machine disk files for the first time in June 2025. Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials, exploiting vulnerabilities, using initial access brokers (IABs), brute-forcing VPN endpoints, and password spraying techniques. Akira threat actors have been observed gaining initial access through the Secure Shell (SSH) protocol by exploiting a router’s IP address. Akira threat actors leverage Impacket to execute the remote command wmiexec.py. Akira threat actors implement techniques such as uninstalling endpoint detection and response (EDR) systems to evade detection. Akira threat actors create new user accounts and add them to the administrator group to establish a foothold in the environment. Akira ransomware operators use tunneling tools like Ngrok to establish encrypted command-and-control (C2) channels that evade perimeter monitoring. Akira ransomware operators leverage PowerShell and WMIC to disable services and run malicious scripts, enabling deeper system compromise. Akira ransomware operators use sophisticated hybrid encryption schemes to lock data, appending encrypted files with extensions such as .akira, .powerranges, .akiranew, or .aki. A ransom note named fn.txt or akira_readme.txt appears in both the root directory (C:) and each user’s home directory (C:\Users). In Q3 2025, Akira, Qilin, and INC Ransomware were the most prolific groups, accounting for 65% of cases. The use of valid credentials to access VPNs was the most common method of initial access, accounting for 48% of breaches. Akira consistently gained access by using valid credentials in credential stuffing attacks against SonicWall SSLVPN services, exploiting weak access controls such as absent MFA and insufficient lockout policies. Beazley tracked 11,775 new CVEs published by NIST in Q3 2025, with 38% more advisories issued regarding zero-day vulnerabilities.

Open in new tab

Qilin ransomware group targets multiple organizations, including South Korean financial sector

The Qilin ransomware group has been active, targeting multiple organizations, including Inotiv, a U.S.-based pharmaceutical company, Creative Box Inc. (CBI), a subsidiary of Nissan, Mecklenburg County Public Schools (MCPS), Asahi Group, and Synnovis, a UK pathology services provider. The latest attack was on South Korean financial sector, where Qilin claims to have stolen over 1 million files and 2 TB of data from 28 victims. The attack caused significant operational disruption, including a beer shortage in Japan. The group has also targeted other Japanese companies, including Shinko Plastics and Osaki Medical. The Qilin ransomware group operates as a ransomware-as-a-service (RaaS) network, providing tools and infrastructure to affiliates and taking a 15–20% share of ransom payments. The group's malware is custom-built in Rust and C for cross-platform attacks, including Windows, Linux, and ESXi systems. The Qilin ransomware operation was first launched as "Agenda" in August 2022 and rebranded to Qilin by September 2022. Qilin ransomware operation has attacked more than 700 victims across 62 countries in 2025. The Qilin ransomware operation has published over 40 new victims per month in the second half of 2025. The Qilin ransomware operation uses the Windows Subsystem for Linux (WSL) to execute Linux encryptors on Windows systems, evading traditional security tools. Qilin ransomware group has been observed exploiting unpatched VPN appliances and lack of multi-factor authentication (MFA) to gain initial access to corporate networks. Qilin ransomware group has been observed targeting small-to-medium-sized businesses in the construction, healthcare, and financial sectors. Qilin ransomware group has been observed using new extortion channels, including Telegram and public sites such as WikiLeaksV2. Qilin ransomware group has been observed collaborating with affiliates of the Scattered Spider group. Qilin ransomware group has been observed operating as a ransomware-as-a-service (RaaS) group since 2023, leasing its tools and infrastructure to affiliates. Qilin ransomware group has been observed publishing victims' data on dark-web leak sites if no ransom is paid. Asahi Group Holdings confirmed that the personal data of approximately 1.914 million individuals, including 1.525 million customers, was or may have been exposed in the cyber-attack. The exposed data includes names, genders, dates of birth, postal addresses, email addresses, and phone numbers. Asahi Group Holdings spent two months investigating the breach, conducting root cause analysis, integrity checks, containing the ransomware, restoring systems, and strengthening security. Atsushi Katsuki, President and Group CEO of Asahi Group Holdings, publicly apologized for the difficulties caused by the disruptions. Asahi Group Holdings is reviewing the potential impact of the incident on its financial results for fiscal year 2025. The Qilin ransomware group claimed responsibility for the cyber-attack on Asahi Group Holdings. Asahi Group Holdings temporarily suspended its operations in Japan in late September following a system failure due to the ransomware attack. The disruptions included order and shipment operations, call centers, and customer service desks. Asahi Group Holdings postponed the launch of a new product scheduled to be released in October due to the cyber-attack. On October 7, the Qilin ransomware group listed Asahi on its data leak site, claiming to have stolen 27 GB of files from the company. Inotiv is notifying 9,542 individuals that their personal information was stolen in the August 2025 ransomware attack. Inotiv has restored availability and access to impacted networks and systems affected by the August 2025 ransomware attack. The Qilin ransomware group claimed responsibility for the breach in August 2025, leaked data samples, and said they exfiltrated over 162,000 files totaling 176 GB from Inotiv. Asahi Group Holdings is considering the creation of a dedicated cybersecurity unit within the group. Asahi Group Holdings is scrapping the use of virtual private networks (VPNs) and is adopting a stricter zero-trust model. Asahi Group Holdings has postponed the disclosure of sales performance for its operating due to the ongoing effects of the cyber-attack on its systems. Asahi Group Holdings recorded a 20% year-on-year drop in alcohol sales in Japan in November 2025 due to the cyber-attack. Asahi Group Holdings has refrained from releasing monthly sales data by category and brand due to the ongoing effects of the cyber-attack on its systems. November marks the third consecutive month Asahi Group Holdings has skipped disclosures of sales data, citing difficulties in accurately compiling the figures.

Open in new tab