CONTACT
(Original Video in Japanese was published on the FINOLAB CHANNEL on Oct. 14, 2025 by Makoto Shibata)
https://www.youtube.com/watch?v=K8leas2QQPU
Defining the Modern Ransomware Threat
Ransomware, a compound word of “ransom” and “software,” is malicious programming designed to infect systems and encrypt data files, rendering them unusable. The attackers then demand a ransom payment—often in cryptocurrency—in exchange for the decryption key. While this threat is decades old, its evolution has led to devastating, large-scale attacks targeting major corporations.
In recent high-profile cases, the scope of damage has been immense. Beverage giant Asahi Group Holdings recently faced operational disruption to its shipping business following a ransomware attack. Last year, the attack on KADOKAWA caused major service outages (including the video platform “NICO-NICO”), coupled with the exposure of over 250,000 pieces of personal information, underscoring the severe social impact of these breaches.
The Evolving Threat Landscape
The journey of ransomware has moved far beyond simple, indiscriminate attacks to sophisticated, high-impact operations.
From Spray-and-Pray to Targeted Extortion
The earliest forms of ransomware relied on “spray-and-pray” tactics, relying on phishing emails or malicious websites to infect wide swaths of users. However, the scene quickly changed around 2013 with the emergence of powerful tools like CryptoLocker and the rise of Ransomware-as-a-Service (RaaS), which diversified and scaled attacks.
Today, the primary trend is targeted attacks, where highly sophisticated groups focus on specific, high-value entities like government agencies or major corporations, ensuring a larger payoff and maximizing disruption.
The Shift to Multi-Layered Blackmailing
Modern ransomware groups rarely rely solely on encryption. They have adopted advanced extortion tactics to increase pressure:
- Double Extortion: Attackers first exfiltrate (steal) the data before encrypting it. They then demand a ransom not only for the decryption key but also in exchange for not publishing the stolen data on the dark web.
- Triple Extortion: This method adds another layer of pressure, often involving a Distributed Denial of Service (DDoS) attack on the victim’s network during the crisis to prevent business recovery and force compliance.
- Non-Encryption Extortion: Some groups skip the encryption step entirely, simply stealing the data and demanding ransom in exchange for keeping the theft and data secret.
The primary entry points for these sophisticated attacks often include vulnerabilities in VPNs (Virtual Private Networks) used by remote workers and flaws in Remote Desktop Protocol (RDP) systems.
The Critical Threat of Third-Party Risk in Finance
Financial Institutions (Fls) are prime targets due to the high value of the data they hold (account details, personal information, transaction records) and the massive societal impact of system disruption. While major FIs maintain robust, state-of-the-art security, the attacks are shifting to their peripheral partners.
Supply Chain Attacks: The Weakest Link
Direct successful ransomware attacks on the core systems of major FIs remain relatively rare. However, increasing threats are being seen through supply chain attacks targeting third-party vendors who provide crucial, yet often less-protected, services.
Examples of Vendor Breaches Affecting Japanese FIs:
- Accounting/Consulting Firms: A ransomware attack on the Takano Comprehensive Accounting Group led to the potential leakage of customer information belonging to client FIs, including Tokyo Marine & Nichido, Iyo Bank, and Sumitomo Mitsui Trust Bank.
- Printing Services: The printing major Iseto was attacked, resulting in the confirmed outflow of customer data from multiple FIs (including over 250,000 records from Iyo Bank alone), as the firm handled confidential print jobs and stored associated client data.
These incidents highlight that any vendor, from specialized IT services to seemingly low-risk functions like accounting and printing, represents a potential security vulnerability—a Third-Party Risk—that FIs must mitigate.
Regulatory Imperatives and the Path Forward
In response to the growing severity of ransomware and supply chain attacks, the Japanese Financial Services Agency (FSA) has tightened its regulatory guidance, emphasizing proactive prevention and robust response capabilities.
The FSA’s directives across various guidance documents establish strict requirements for FIs:
| Focus Area | FSA Guidance Requirement |
| Third-Party Management | FIs must pre-assess the security posture of external vendors, clearly define responsibilities and oversight in contracts (including procedures for sub-contracting), and periodically monitor the vendors’ security status. |
| Incident Response & Recovery | Response plans must prioritize the customer and include procedures for rapid identification of affected areas. Crucially, plans must detail steps for rapid recovery from backups, which must be secured offline. |
| Defense in Depth | FIs must implement multi-layered defenses: Inlet (strong filtering against phishing/malware), Internal (privileged ID management and network segmentation), and Outlet (log analysis and blocking suspicious communication). |
| Board Governance | The Board of Directors must acknowledge cyber risk as a critical business issue, integrating it into enterprise-wide risk management and ensuring adequate resources and specialized personnel are allocated. |
Conclusion: Actionable Checklist for FIs and FinTech startups
For FinTech startups seeking partnerships with major FIs, and for FIs managing their vendor relationships, compliance with these regulatory requirements are non-negotiable.
| Category | Key Action Items (Based on FSA Guidance) |
| Vendor Management | Pre-assess the security posture of external vendors. Ensure contracts clearly stipulate responsibilities, oversight, and procedures for sub-contracting. Monitor the vendor’s security compliance status regularly. |
| Defense in Depth | Inlet: Implement robust filtering against phishing and web intrusion. Internal: Secure privileged ID management and maintain network segmentation. Outlet: Block suspicious communications and conduct log monitoring. |
| Detection | Implement systems (like EDR) for the early detection of ransomware infection. Establish mechanisms for log analysis and unauthorized access detection. |
| Incident Response | Create a clear response plan for incidents, prioritizing the customer. Securely and regularly back up critical data, storing backups offline (air-gapped). Periodically test rapid recovery procedures from backups. |
| Governance | The Board of Directors must recognize cyber risk as a key management issue. Ensure specialized departments and personnel are in place, and conduct regular security audits and reviews. |
| Information Sharing | Participate in industry information networks (like FISC) and maintain frameworks for sharing threat intelligence with domestic and international authorities. |
The era of ransomware requires both FIs and their entire ecosystem to move from simple defense to comprehensive, multi-layered risk management where vendors are held to the same high security standards as the institution itself.
