Shinko Shoji Discloses Ransomware Incident at U.S. Subsidiary, Servers Encrypted in Late December

Japanese electronics trading firm Shinko Shoji has disclosed that its U.S. subsidiary experienced a ransomware incident that resulted in data encryption on several internal servers. The incident, which occurred in late December, was formally confirmed and communicated through an official notice dated January 28, 2026.

According to the disclosure, the affected systems were operated by Novalux America Inc., Shinko Shoji’s U.S.-based subsidiary. Unauthorized third-party access led to a ransomware-induced access failure, prompting immediate containment and an ongoing restoration effort.

Timeline of the Incident

The company stated that on January 5, 2026, it confirmed that data stored on certain subsidiary servers had become inaccessible. A subsequent investigation determined that a ransomware attack had occurred, with encryption activity traced back to December 28, 2025.

This gap between encryption and detection aligns with a broader ransomware trend in which attackers remain dormant for days or weeks, conducting internal reconnaissance before deploying destructive payloads.

Official Disclosure Document

Shinko Shoji published a formal incident notice outlining the scope of the ransomware attack, its response actions, and the current assessment of impact. The document emphasizes containment, regulatory notifications, and the absence of confirmed data leakage at the time of disclosure.

Immediate Response and Containment

Upon confirming the damage, the subsidiary disconnected the affected servers from both internal networks and the internet to prevent further spread. External cybersecurity specialists were engaged to assist with system restoration and forensic analysis.

In parallel, the subsidiary notified impacted customers individually and reported the incident to relevant authorities in both the United States and Japan. The company stated that daily business operations were not disrupted.

Impact Assessment and Data Exposure Questions

As of the January 28 notice, no evidence of data exfiltration had been confirmed. However, investigations remain ongoing to determine whether attackers accessed or staged sensitive information prior to encryption.

Shinko Shoji noted that the subsidiary’s systems operate independently from other group entities, and no broader impact has been identified. The financial effect on consolidated earnings for the current fiscal year is expected to be limited.

Likely Attack Pattern and Threat Context

Although no threat actor has been publicly named, the attack characteristics align with ransomware campaigns targeting multinational trading and manufacturing firms. These operations commonly begin with credential compromise or exploitation of externally exposed services, followed by lateral movement and privilege escalation.

The delayed encryption timing suggests the attackers may have mapped internal systems and identified critical servers before triggering the ransomware phase, a technique increasingly observed in targeted, financially motivated intrusions.

Broader Implications for Cross-Border Operations

Electronics trading companies are particularly exposed due to their reliance on interconnected systems, third-party vendors, and geographically distributed operations. Even when incidents are isolated to a subsidiary, recovery efforts can place strain on supply chains and partner relationships.

The Shinko Shoji incident reflects a growing pattern of ransomware activity against globally integrated firms, where containment succeeds but full visibility into attacker actions may take weeks or months to establish.