Ransomware Attack on Mino Industry Co., Ltd. (Japan)

Overview

Public trackers and the company’s own updates indicate that attackers gained initial access to Mino Industry through a compromised VPN credential, later leveraging elevated privileges to damage systems and encrypt files. The ransomware group SafePay listed Mino Industry on its leak site, consistent with a dual-extortion incident profile (encryption + data theft/exposure).

Confirmed Timeline (from company notices and public reporting)

• October 1, 2025: Attackers gained access via a compromised employee VPN account.
• October 3, 2025: Administrative privileges were abused; systems were damaged and files encrypted.
• October 4, 2025 — 01:21: Ransom note was placed inside the company’s internal folders.
• October 4, 2025 — 02:25 onward: Mino Industry detected the incident, disconnected the network and VPN, began recovery actions, and notified authorities.
• Following days: Security upgrades, forensic investigation, password resets and full network isolation were implemented.

Impact

While Mino Industry’s public notice focuses on containment and recovery measures, likely impacts from this class of incident include:

• Operational disruption and potential production downtime while systems are isolated and restored.
• Delayed shipments and supply-chain knock-on effects for customers relying on affected production lines.
• Risk of data exfiltration and subsequent extortion if backups or stolen data are threatened for publication.
• Costs associated with incident response, remediation, and reputational damage.

Threat Actor

The SafePay ransomware group has been observed publicly listing victims on leak sites and employing dual-extortion tactics. Public trackers and SafePay’s listings identify Mino Industry as a claimed victim in this campaign.

Indicators & Observed Tactics

Based on the company timeline and typical SafePay activity, relevant indicators and tactics to hunt for include:

• Compromised remote access credentials / anomalous VPN logins (unusual source IPs, login times, or concurrent sessions).
• Privilege escalation events (new admin account creation, abnormal use of existing admin accounts).
• Large-scale file encryption patterns, spikes in I/O to file servers, or new file extensions associated with ransomware.
• Presence of ransom notes in internal directories and outbound traffic to known leak sites or actor infrastructure.

Immediate Actions for Affected Organisations

• If an incident is suspected, isolate affected systems from the network and preserve volatile logs for forensics.
• Disable compromised credentials and enforce password resets for exposed accounts; require MFA where possible.
• Engage forensic and incident response specialists to determine scope, validate backups, and advise on recovery.
• Validate and restore from known-good, immutable backups; verify integrity before reconnecting systems to production networks.
• Notify relevant local authorities and, where required, regulatory bodies and impacted customers/suppliers.

Recommendations for Manufacturing & Industrial Environments

• Segment OT/ICS from enterprise IT networks and enforce strict access control between zones.
• Harden remote access: limit VPN access to vetted devices, enforce MFA, and monitor for unusual sessions.
• Implement robust backup practices: offline/immutable backups, frequent restore drills, and air-gapped copies where feasible.
• Deploy and tune EDR/NDR to detect lateral movement, credential misuse, and file-encryption behavior.
• Conduct regular privileged-account reviews and apply least-privilege for service and admin accounts.
• Maintain an exercised incident response plan that includes supplier/supply-chain continuity procedures.