Shimano hit by ransomware attack

The market-leading cycling component manufacturer, Shimano, has been targeted by a ransomware attack, affecting 4.5 terabytes of sensitive company data. 

Initially highlighted in a post on X (formerly Twitter) by technology security company Falcon Feeds, the Japanese manufacturer has reportedly been targeted by ransomware group LockBit, who are threatening to release the data on November 5, 2023, at 18:34:13 UTC.

First reported by Escape Collective, the attack is also listed on the Live Ransomware Updates of the Ransom-db website, showing Shimano.com as a victim of LockBit 3.0, with the date November 2, 2023 as the attack date. 

It is also listed on Ransomlook.io – described as an open-source project aimed at assisting users in tracking ransomware-related posts and activities across various sites, forums, and Telegram channels – in which the full ransom notice can be seen. 

The notice claims that the group has breached highly sensitive data, including:

• Employee information, including identification, social security numbers, addresses and passport scans
• Financial documents, including balance sheets, profit and loss reports, bank statements, various tax forms and reports
• Client data, including addresses, internal documents, mail correspondence, confidential reports, legal documents and factory inspection results
• Other documents, including non-disclosure agreements, contracts, confidential diagrams and drawings, development materials and laboratory tests

The attacker, LockBit, is a cybercrime group that uses malware to breach sensitive company data and then attempts to extort money in exchange for avoiding its public release. 

Cyber-crime protection company Flashpoint describes it as the world's 'most active' ransomware group, saying it is responsible for 27.93% of all known ransomware attacks in the 12 months to June 2023. Its reported total of 1,036 victims is more than double that of the group known as BlackCat in second place. 

Shimano is just the latest in a string of high-profile victims of the LockBit group. According to Trendmicro, the British postal service Royal Mail was hit by an attack in January, effectively halting its international export services. Dublin software company Ion Group was hit in February, and Taiwanese chipmaker TSMC faced a ransom of US$70 million in June. 

Aeroplane manufacturing giant Boeing is also currently being extorted by the group. 

When contacted by Cyclingnews, a Shimano spokesman said, "This is an internal matter at Shimano, which is being investigated, however we cannot comment on anything at this time."

It is unclear at this time what ransom - if any - has been demanded by the group, but it's clear that the news will be another huge blow in a difficult period for the Japanese brand. 

Just last month, it announced the recall of 2.8 million road cranksets globally, following a longstanding bonding separation issue. In the weeks following, a class-action lawsuit was filed as a result in North America. Its latest quarterly report announced that overall sales of bicycle components fell by 24.8%, with operating income falling by nearly half.