A year ago, midsize Japanese logistics company Kantsu suffered significant damage from a cyberattack in which ransomware locked its servers and cut off communications, bringing the company’s shipping operations to a halt.
We spoke with Kantsu President Hisahiro Tatsujo, the company’s chief executive, about the company’s experience responding to the cyberattack from both a cybersecurity and a business resilience perspective. What follows is an in-depth picture of what a business organization deals with when navigating a ransomware attack that leaves its very survival at stake.
All data unavailable, affecting over 500 companies
On Thursday, Sept. 12, 2024, President Tatsujo received a report of a cyberattack from the director in charge of systems: “We’ve been infected with ransomware. It looks like our server has been locked.”
It was 6:15 p.m., just before the end of business. The company’s internal network and all internal systems were shut down, leaving all means of communication both inside and outside the company cut off.
Kantsu Co., Ltd. is a pioneering company in ecommerce and mail-order logistics support, headquartered in Amagasaki, Hyogo Prefecture. Starting with a single light truck in 1983, the company has grown by combining on-site capabilities and technology to operate more than 20 logistics bases nationwide. By introducing the cloud-based warehouse management system (WMS) “Cloud Thomas” to its business partners, Kantsu has accelerated shipping timelines and reduced costs. For Kantsu, being hit by a cyberattack was a serious incident that put the company’s continued existence on the line.
Tatsujo initially assumed it was just an outage but was shocked when he saw the server room with his own eyes. The server screen in front of him displayed the ominous message “Your company data has been encrypted” against a black background.
Later Kantsu would come to find that the first attack occurred in July 2024, with evidence of a server intrusion following in August. A vulnerability in company’s SSL VPN device was exploited, resulting in the leaking of IDs and passwords, leading to the intrusion. By Sept. 12, all the contents of the server had been encrypted.
At 7 a.m. the day after the network went down, Tatsujo called an emergency meeting with executives to share the situation and discuss response. An emergency response room was set up, with a company-wide effort to:
set up a new group email system and secure emergency contact points
establish a dedicated contact point for business partners to handle inquiries
prohibit internal internet access
check the operational status of major systems
All shipping operations came to a halt. The company explained the situation to all employees at 9:00 a.m., and began assessing the damage and taking measures by 10:00 a.m.
The servers had already been fully encrypted, all data was rendered unusable, some backups were damaged, and it was necessary to determine whether data could be recovered. The number of affected companies had risen to over 500.
“We began recovery on Friday, Sept. 13, and had a long weekend on Saturday, Sunday, and Monday. In the logistics industry, we can’t do anything without inventory data. Because the inventory data was locked, we had to do stocktaking by pen and paper. We were able to serve 30% of our customers on weekends, but 70% of our customers were closed. This was a blessing in disguise,” Tatsujo says.
Outlining response
Kantsu then began collaborating with the police, the cyberattack response teams of the company’s insurers, and security specialists to confirm the scope of cyber insurance coverage and estimate the amount of damage.
At 1:00 p.m., Tatsujo and his team held a meeting with the insurance company’s cyberattack response team to outline the response policy:
We will not pay ransom extortion under any circumstances
It may take more than a month to fully recover
We must completely shut down the network to prevent recurrence
At 5 p.m., they decided on a recovery plan that included temporarily implementing analog solutions to resume operations, replacing all PCs and networks with new ones, and prioritizing customer support over the recovery of existing systems. But when they began the actual recovery work, they encountered an unexpected pitfall.
“We considered how to restore operations as quickly as possible. We did a variety of things, including asking other companies in the same industry to send packages, even ignoring our own profits,” Tatsujo says.
Ditching old networks and PCs
On Sept. 14 at 1:00 p.m., an emergency meeting was held with representatives from the Kantsu’s insurance company, lawyers, and security company to discuss the cyber insurance coverage Kantsu had taken out. The insurance company warned, “We can cover direct damage caused by ransomware attacks in accordance with the terms of the contract, but we need to thoroughly examine claims for damages from business partners and lost profits.”
On Sept. 15, an internal meeting was held at 10:00 a.m. Many employees in the Kanto area were in the office, waiting for instructions. Dealing with business partners was divided into two main areas. The first was dealing with external sales of systems such as WMS.
Managing Director and Sales Division Manager Masatake Matsuoka took the lead in adding new addresses, setting up reporting channels for each company, and making regular reports.
“I remember making sure at that time that we didn’t miss any priority customers,” President Tatsujo says.
The other was to check the situation at the logistics site. The information systems headquarters was proceeding with shipping to business partners that could be handled with simple tasks, but individual support from the field was halted as company-wide support was prioritized. At that time, the only things that were possible were analog shipping and inventory work.
To prevent reinfection with ransomware, the company prohibited use of old networks and PCs. Tethering was used, with smartphones as Wi-Fi routers. Where possible, this was used to facilitate shipping. New PCs were purchased to create an on-premises environment. The system development department (25 people) in Akihabara proceeded with the reconstruction of “Cloud Thomas” using AWS cloud services.
Regarding the newly reconstructed system, Toshimoto Tatsujo, who serves as general manager of the corporate planning division and general manager of the information systems management department, had this to say: “The new system maintains the same functionality and operability as before, but we have significantly strengthened security. We have made it so that only authorized addresses can access the system. We have also improved vulnerabilities such as application bugs that make them targets for cyberattacks.”
The company has also strengthened its security education for employees.
“We regularly conduct training related to email and targeted cyberattacks. There are many things we need to make sure everyone is aware of, so we hold these training sessions once a week for about six months. We also conduct internal audits once a quarter specifically focused on security. We receive guidance from experts on the checklist items, and we carry out the operations ourselves,” says General Manager Tatsujo.
In times of emergency, cash for recovery is important
Kantsu launched a counterattack the following week on Monday, Sept. 16, reviewing their security measures and searching for a security company that could respond to the incident.
Furthermore, they explained the current situation to employees and strengthened cooperation. They set a short-term goal of temporary restoration and announced a policy to clarify the role of each employee. The problem here was normalizing the working environment. If they worked day and night, problems such as seven consecutive days of work and excessive overtime would arise. They considered shifts that would prevent such problems from occurring and decided to reward employees for their efforts by offering overtime pay several times the normal amount.
“In times of emergency like this, the most important thing is cash to recover as quickly as possible, rather than cost reduction. However, insurance companies do not pay claims immediately. So we asked various financial institutions to provide us with a total of ¥2 billion [about US$13 million] in loans. Also, because reputational damage is likely to occur first within the company, we assured our employees that there would be no delays in the payment of salaries or bonuses,” says President Tatsujo.
The report was made to the Tokyo Stock Exchange on the afternoon of Sept. 18. Dealing with the police was left to a lawyer, and the ransomware damage cases were investigated. The goal was shared: to aim for 50% to 80% recovery by the end of September, and to start using the new system from October.
At 8:30 a.m. on Sept. 22nd, a list of “things you must not do” was sent to all employees to ensure they strictly adhered to the rules. The list included prohibitions such as “connecting to the old PC or old network” and “connecting to Wi-Fi outside the company without permission.”
At this time, major problems were arising among employees. Recovery work was being carried out day and night, resulting in problems with seven consecutive work days and overtime. The following were decided upon:
If employees exceed seven consecutive work days, they will be given one day off
The maximum number of working hours per day will be limited to 10 hours
The number of temporary staff will be increased as necessary
The company will cover taxi fares and hotel expenses
Furthermore, on Sept. 24, the company officially responded to the Personal Information Protection Commission, concluding that “although no actual leak has been confirmed, there is a certain risk.”
On the same day, the cloud-based WMS “Cloud Thomas” went live, and the systems of major customers were gradually brought back online. At this point, however, the system was still not fully restored. So they turned their attention to another company’s WMS, using it to run some of their operations.
“We once again felt the need to create a logistics system that does not rely too heavily on Cloud Thomas, with multiple backups and the flexibility to incorporate external systems,” says President Tatsujo.
The business aftermath
Just because Cloud Thomas was up and running didn’t mean business would return to normal. The system was attacked and all billing data was lost. The accounting department had to rebuild billing operations from scratch.
So the accounting department found billing data from when the old system was still functioning and, using that as a reference, worked with the warehouse to manually check each shipping record. They also explained the situation to business partners, and made every effort to seek their understanding, rather than insisting that “the system data had been lost.”
The accounting department made extensive use of telephone and email contact with each client to thoroughly confirm and explain the invoice amounts. Some clients pressed them, asking, “Why are the amounts so high?” but they persevered in negotiations and issued almost all invoices on time.
Along with getting the system up and running, preventing cancellations was also important. To maintain long-term relationships, flexible price adjustments and special treatments were implemented. Sales representatives repeatedly negotiated with clients individually, hoping that they “would somehow not abandon Kantsu,” says President Tatsujo, who said the following in a meeting of executives and members of the sales department: “It’s difficult to stop all cancellations, but we’ll do our best to encourage as many companies as possible to continue doing business with us.”
But because each client has a different business flow and data management method, the available alternatives also differ. Sales staff had to sort through each of these and respond accordingly.
“In the end, many customers cooperated, which made me really happy. Rakuten Ichiba, in particular, offers a service called ‘Strongest Delivery,’ which allows for next-day delivery and delivery time specification, but they were considerate enough to allow us a grace period in consideration of the delay in delivery,” says President Tatsujo.
Individual negotiations with business partners were successful, and of the 250 business partners related to Kantsu’s core business — ecommerce logistics — only two companies terminated their contracts early.
However, the head of Kantsu’s IT department then said, “It’s impossible to restore all of our customers at once.”
Kantsu’s logistics operations are supported not only by its own employees, but also by external partner companies. President Tatsujo held an online meeting with these partner companies to explain the current situation and future recovery plans, and requested further cooperation.
Throw away all your old systems
More than two weeks after the cyberattack, Kantsu’s management team was faced with an important decision: what to do with the RPA and order placement systems that had been implemented. These systems had completely stopped functioning due to the cyberattack, but there was a possibility that these systems themselves had become a route for attacks.
“How long will it take to recover?”
In response to management’s question, the system manager replied, “It will take at least a month, but even if it is restored, there is no guarantee of safety.”
On hearing this, President Tatsujo decided that “we have no choice but to make the bold cuts.” The total amount is ¥700 million yen (about US$4.6 million). It’s a big blow to Kantsu, but it’s better than waiting for a system that the company didn’t know when it would be fully operational again.
“At that time, a security expert told me, ‘A house that has been broken into by a thief cannot be used without investigating everything from the entry point to the house itself. So we need to investigate thoroughly. Please give us one to two months to do so.’ Furthermore, the cost of the investigation alone would exceed ¥50 million yen [US$330,000]. However, if we spent a month on the system, all our customers would leave. These are circumstances that so-called security experts do not understand. After thinking about it for three or four days, I decided, ‘Let’s throw away all the old system and build a new one,’” President Tatsujo says.
As a result, the two security specialist companies were consolidated into one.
“We worked with two companies: a major security company and a venture company, but the major company specialized in investigations rather than recovery, which takes time. What we wanted was a speedy recovery. In that respect, the venture company acted quickly, formulating hypotheses as they investigated, and made flexible proposals to minimize risk while identifying the essence of the problem. We chose this company because we were looking for speed. Even when it comes to something as simple as security, I really felt that it was important to carefully determine which company was strong in what areas,” President Tatsujo adds.
Along with building the system, compensation for business partners is also important. Insurance companies were slow to clarify how much damage insurance would cover, but Kantsu had to quickly clarify how much compensation it would provide to business partners. To do this, it was necessary to determine the extent of the damage and explain it to insurance companies and business partners, but it is not easy to recover data that has been lost in a short period of time. If the data could not be recovered, it would be impossible to determine whether personal information had been leaked, and there would be no evidence to support a claim.
“We also had cyber insurance, but the insurance company said they wouldn’t cover the risk hedging limit. I don’t understand why we had cyber insurance. We needed a lot of cash to build the system and compensate our business partners, so we were extremely stressed,” President Tatsujo says.
The insurance claim certification process began in mid-December, three months after the incident. Ultimately, the full amount was paid, but while the system was being restored, it was unclear how much of the insurance money they could rely on. The reason they quickly obtained a loan from a financial institution was to avoid a worsening cash flow that would put them in a difficult position.
In the end, Kantsu suffered a total loss of ¥1.7 billion yen (US$11.1 million), including ¥700 million for system renewal and ¥1 billion for compensation. Nevertheless, they were able to announce a recovery internally at the end of October and externally on Nov. 1.
“No matter how much we defend, we cannot completely prevent [cyberattacks]. It is important to prepare incident manuals and recovery plans in advance so that we can respond even if we are hit by a cyberattack,” President Tatsujo says of the experience.
No Responses