Executive Summary

Askul Corporation, a major Japanese e-commerce and logistics provider, has confirmed the theft of approximately 740,000 customer records following a ransomware attack attributed to the RansomHouse group. The incident, first detected on October 19, 2025, resulted in significant operational disruption, including the suspension of order processing and shipping for both business and individual customers, as well as major partners such as Muji. The compromised data includes business customer service records, individual customer service records, business partner information, and employee data, with exposed fields such as company names, user names, phone numbers, and email addresses. No credit card data compromise has been confirmed, and no ransom was paid. The attack exploited a lack of multi-factor authentication (MFA) on an outsourced partner’s administrator account, enabling the attackers to gain privileged access, disable security tools, move laterally, exfiltrate data, and deploy ransomware across multiple servers. Askul has reported the breach to Japan’s Personal Information Protection Commission and is notifying affected parties individually. The company has implemented a range of technical and operational countermeasures, including system isolation, EDR updates, MFA rollout, and device reinstallation or disposal. This report provides a comprehensive technical analysis of the incident, the tactics and techniques used, and prioritized recommendations for mitigation.

Technical Information

The ransomware attack on Askul Corporation was executed by the RansomHouse group, a threat actor known for targeting large enterprises with a combination of data theft and system encryption. The initial access vector was the compromise of authentication credentials for an outsourced partner’s administrator account, which did not have multi-factor authentication (MFA) enabled. This allowed the attacker to bypass additional authentication controls and gain privileged access to Askul’s internal network (BleepingComputer, https://www.bleepingcomputer.com/news/security/askul-confirms-theft-of-740k-customer-records-in-ransomhouse-attack/).

Once inside the network, the attacker conducted reconnaissance to identify additional authentication information and access multiple servers. The attacker disabled endpoint detection and response (EDR) and other security software, a tactic that aligns with MITRE ATT&CK technique T1562.001 (Impair Defenses: Disable or Modify Tools). Lateral movement was achieved by leveraging valid credentials and remote services, consistent with techniques T1021 (Remote Services) and T1078 (Valid Accounts). The attacker escalated privileges as needed, although the specific methods for privilege escalation were not detailed in public sources.

Multiple ransomware variants were deployed simultaneously across several servers, some of which evaded existing EDR signatures. The ransomware encrypted data and caused system failures, halting order and shipping operations. Backup files were wiped to inhibit system recovery, a tactic mapped to T1490 (Inhibit System Recovery) and T1485 (Data Destruction). The attackers exfiltrated approximately 1.1 terabytes of data, which was later leaked in two stages on November 10 and December 2, 2025. The attack resulted in the exposure of business customer service data (approximately 590,000 records), individual customer service data (approximately 132,000 records), business partner data (approximately 15,000 records), and employee data (approximately 2,700 records). The compromised data fields included company names, user names, phone numbers, and email addresses (The Asahi Shimbun, https://www.asahi.com/ajw/articles/16131079).

The RansomHouse group is known for its multi-pronged extortion tactics, which include data exfiltration, public data leaks, and system encryption. The group typically targets high-value organizations in sectors such as consumer goods, logistics, and professional services, using a combination of phishing, credential theft, and exploitation of weak authentication controls. In this incident, the lack of MFA on a privileged account was a critical vulnerability that enabled the attack.

Askul’s response included physically disconnecting infected networks, isolating affected devices, updating EDR signatures, applying MFA to all key systems, and resetting all administrator account passwords. Devices suspected of infection were either discarded or had their systems reinstalled. The company reported the breach to the Personal Information Protection Commission and began notifying affected customers and partners individually. As of December 15, 2025, order shipping operations were still impacted, and full system restoration was ongoing (The Japan Times, https://www.japantimes.co.jp/business/2025/12/14/companies/askul-data-breached-cyberattack/).

The technical analysis of the attack aligns with the following MITRE ATT&CK techniques:

Initial Access: T1078 (Valid Accounts) – Compromised partner admin credentials, no MFA. Execution: T1059 (Command and Scripting Interpreter) – Reconnaissance and lateral movement. Defense Evasion: T1562.001 (Impair Defenses: Disable or Modify Tools) – Disabling EDR and security software. Lateral Movement: T1021 (Remote Services), T1075 (Pass the Hash) – Moving between servers. Impact: T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), T1485 (Data Destruction) – Ransomware deployment, backup deletion, system failure. Exfiltration: T1041 (Exfiltration Over C2 Channel) – Data theft and leak.

The attack demonstrates a high level of sophistication, with coordinated deployment of ransomware, effective evasion of security controls, and targeted data exfiltration. The operational impact was significant, affecting both Askul’s direct customers and major partners, and highlighting the risks associated with third-party access and insufficient authentication controls.

Affected Versions & Timeline

The incident affected all major business and consumer-facing services operated by Askul Corporation, including its B2B office supplies platform, the “Lohaco” e-commerce service for individual customers, and logistics operations supporting partners such as Muji. The compromised data sets included approximately 590,000 business customer service records, 132,000 individual customer service records, 15,000 business partner records, and 2,700 executive and employee records. The exposed data fields included company names, user names, phone numbers, and email addresses. No credit card data compromise has been confirmed (The Japan Times, https://www.japantimes.co.jp/business/2025/12/14/companies/askul-data-breached-cyberattack/).

The verified timeline of events is as follows:

On October 19, 2025, Askul detected and announced the ransomware attack, suspending order and shipping operations (The Asahi Shimbun, https://www.asahi.com/ajw/articles/16131079). Between October 29 and 31, 2025, the RansomHouse group claimed responsibility and threatened further data leaks. On October 30, 2025, RansomHouse publicly disclosed the breach. On November 10 and December 2, 2025, RansomHouse released stolen data in two stages. On December 14–15, 2025, Askul publicly confirmed the scope of the breach, notified authorities, and began contacting affected customers and partners (BleepingComputer, https://www.bleepingcomputer.com/news/security/askul-confirms-theft-of-740k-customer-records-in-ransomhouse-attack/).

The attack caused ongoing disruption to order shipping and logistics operations, with full system restoration still in progress as of mid-December 2025.

Threat Activity

The RansomHouse group executed a multi-stage attack that began with the compromise of an outsourced partner’s administrator account lacking MFA. After gaining initial access, the attackers conducted network reconnaissance, collected additional credentials, and moved laterally across multiple servers. They disabled EDR and other security tools to evade detection, escalated privileges, and deployed multiple ransomware variants simultaneously. The ransomware encrypted data, caused system failures, and wiped backup files to prevent recovery. The attackers exfiltrated approximately 1.1 terabytes of data, which was later leaked in two public releases.

The group’s tactics align with well-documented MITRE ATT&CK techniques, including T1078 (Valid Accounts), T1562.001 (Impair Defenses), T1021 (Remote Services), T1486 (Data Encrypted for Impact), and T1490 (Inhibit System Recovery). The attack targeted both business and individual customer data, as well as business partners and employees, resulting in significant operational and reputational impact.

RansomHouse is known for targeting large enterprises in sectors such as consumer goods, logistics, and professional services, using a combination of credential theft, phishing, and exploitation of weak authentication controls. The group’s operations typically involve data exfiltration, public data leaks, and system encryption for extortion purposes. In this incident, the lack of MFA on a privileged account was a critical vulnerability that enabled the attack.

No evidence of credit card data compromise or ransom payment has been found. Askul’s response included system isolation, EDR updates, MFA rollout, and device reinstallation or disposal. The company reported the breach to the Personal Information Protection Commission and began notifying affected parties individually.

Mitigation & Workarounds

The following mitigation actions are prioritized by severity:

Critical: Immediately implement multi-factor authentication (MFA) on all privileged and third-party accounts. The absence of MFA was the primary vulnerability exploited in this attack, and its implementation is essential to prevent similar incidents. Critical: Review and restrict third-party access to internal systems. Ensure that all outsourced partner accounts are subject to the same security controls as internal accounts, including MFA, strong password policies, and regular access reviews. High: Update and harden endpoint detection and response (EDR) solutions. Ensure that EDR signatures are current, and that EDR tools cannot be easily disabled or bypassed by attackers. Regularly test EDR effectiveness against known ransomware variants. High: Implement robust backup and recovery procedures. Ensure that backup files are stored offline or in immutable storage, and that backup systems are protected by MFA and isolated from production networks. Regularly test backup restoration processes. High: Conduct regular security awareness training for employees and partners. Emphasize the risks associated with credential theft, phishing, and weak authentication controls. Medium: Monitor for signs of data exfiltration and unauthorized access. Deploy network monitoring tools to detect unusual data transfers and access patterns, and establish long-term monitoring for potential misuse of compromised information. Medium: Establish and regularly test incident response plans. Ensure that all stakeholders, including third-party partners, are aware of their roles and responsibilities in the event of a security incident. Low: Communicate transparently with affected customers and partners. Provide timely and accurate information about the scope of the breach, the types of data compromised, and the steps being taken to mitigate risks.

These recommendations are based on the confirmed tactics and techniques used in the Askul incident and are supported by primary source reporting and industry best practices.

References

BleepingComputer, December 15, 2025: https://www.bleepingcomputer.com/news/security/askul-confirms-theft-of-740k-customer-records-in-ransomhouse-attack/ The Japan Times, December 14, 2025: https://www.japantimes.co.jp/business/2025/12/14/companies/askul-data-breached-cyberattack/ The Asahi Shimbun, November 1, 2025: https://www.asahi.com/ajw/articles/16131079

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external partners and vendors. Our platform enables continuous evaluation of third-party access controls, authentication practices, and incident response readiness, supporting organizations in reducing the risk of supply chain and outsourced partner-related security incidents. For questions or further information, please contact us at ops@rescana.com.