“Throw Everything Away” — Kantsu CEO Reveals Scorched-Earth Recovery Strategy After Ransomware Attack

Public Breach Retrospective

In a new account of the September 2024 ransomware attack on Japanese logistics company Kantsu (www.kantsu.com), President Hisahiro Tatsushiro has revealed a radical “scorched earth” recovery strategy that prioritizes trust over cost.

The attack, which occurred on the evening of September 12, 2024, paralyzed the company’s internal systems, encrypted business data and backups, and disconnected them from the internet. Rather than negotiate with the attackers, Tatsushiro made a decisive call: “I decided to abandon all my personal computers and network equipment… I don’t know what’s hiding inside.”

Likening the compromised network to a “thief’s house,” he ordered the physical disposal of every piece of hardware—”including one ladder, one spoon, and one plate” (metaphorically speaking)—to rebuild the network entirely from scratch. This decision was driven by the fear that paying a ransom would mark Kantsu as a “good customer” for future attacks and the risk that data would still be leaked even after payment.

Key Cybersecurity Insights

This case study offers a rare look at a CEO-level decision to choose total hardware replacement over remediation:

• The “Scorched Earth” Recovery: Replacing hardware is expensive, but it is the only way to guarantee zero persistence of malware or backdoors. For a logistics company where trust is paramount, this extreme measure provided a clean slate that software reimaging often cannot promise.
• Ransom Refusal Logic: Tatsushiro’s refusal was strategic. He recognized that paying a ransom funds future crime and does not guarantee data safety. He prioritized the long-term security posture over the short-term ease of decryption.
• Managing the “Perpetrator” Perception: Kantsu understood that while they were victims, their downtime could make them “perpetrators” in the eyes of their clients (e-commerce companies) if shipments failed. To mitigate this, they assigned individual representatives to each partner to maintain transparency and trust during the crisis.

Mitigation Strategies

Organizations can learn from Kantsu’s extreme but effective response:

• Hardware Replacement Strategy: While not feasible for every incident, organizations should define a threshold (e.g., compromise of core domain controllers or root-level access) where hardware replacement becomes the preferred recovery option to eliminate firmware-level threats.
• Offline, Immutable Backups: Kantsu’s online backups were encrypted. This reinforces the absolute necessity of immutable, offline backups (like tape or air-gapped drives) that ransomware cannot reach.
• Crisis Communication: Assigning dedicated staff to manage partner relationships during an outage is a critical business continuity step. Transparency prevents the “victim” from becoming the “villain” in the supply chain.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com