Hoya Corporation: Ransomware Attack Timeline

Hoya Corporation is one of the world’s leading optical products manufacturers. It recently became victim of a massive cyber crime. The Ransomware gang demanded a whopping $10 million ransom to decrypt what they claimed was 2 TB of data. Know all about what happened next and how Hoya Corp implemented effective Cyber Incident Response to get its production plants and ordering systems up and running again.  

Topics covered in the Hoya Corp Ransomware Attack Timeline: 

1. The Incident
2. The Impact 
3. Actions Taken by Hoya Corp

This is a summary image of at the Attack Timeline. The complete details in chronological order are covered in the sections below: 

Our educational cyber-attack timelines intend to present cyber attacks in a chronological and easy-to-understand format. We break down each cybersecurity incident into bite-sized points. This helps you understand the modus operandi of cyber criminals and response strategies that work and those that don’t. 

More importantly, a retrospective look at recent major cyber attacks from your industry can inspire Cyber Security Tabletop Exercise Scenarios for your organisation. Cyber Crisis Tabletop Exercises are crucial for enhancing your organisation’s cyber resilience. They simulate real-life attack scenarios, helping your team practice and refine their response strategies.

Cyber Tabletop Exercises identify weaknesses in your incident response plan and build muscle memory for effective decision-making during actual cyber events. Regular tabletop exercises ensure your team is prepared and confident in handling cyber crises. 

The Incident – Hoya Corp

• April 04, 2024: Hoya Corp Systems go Offline – According to various sources like BleepingComputer and The Recorded Future, Hoya Corporation, one of the largest global manufacturers of optical products, said a “system failure” caused servers at some of its production plants and business divisions to go offline on March 30, 2024. 
  
  The company said in a statement given on its official website: 
• “In the morning of March 30, 2024, we discovered a discrepancy in system behaviour at one of our overseas offices and confirmed that a system failure had occurred.” 
• “We immediately responded by isolating the failed servers and reported the matter to the relevant authorities in the affected countries.” 
• “We also engaged external forensic investigators who reported that this incident was most likely caused by unauthorised access to our servers by a third party.”

• April 10, 2024: Hunters International demands $10 million ransom – BleepingComputer said that a recent cyber attack on Hoya Corporation was conducted by the ‘Hunters International’ ransomware operation, which demanded a $10 million ransom for a file decryptor and for not releasing files stolen during the attack.  
  
• April 10, 2024: BleepingComputer said no files were released on the Hunters International site and the threat actors did not publicly claim responsibility for the attack on Hoya. LeMagIT, however, posted evidence in the form of screenshots from the ransomware operation’s negotiation panel that victims use to negotiate a ransom payment. 
  
• April 10, 2024: Hackers had allegedly stolen 1.7 million files adding up to 2 TB of data – LeMagIT published a report saying: “The cybercrime group  Hunters International  publicly revealed its involvement in the attack against Hoya to stakeholders.”. In fact, although the group did not publicly claim responsibility for this attack at the time of publishing, it appears to be involved. LeMagIT said according to its information, a ransom amount was initially demanded and the cybercriminals claimed to have stolen more than 1.7 million files for a total of 2 TB of data. 
  
• April 10, 2024: LeMagIT said threatening to mass inform customers, partners, employees and competitors of a victim was part of Hunters International’s modus operandi. They also applied  a no-negotiation policy to some of their victims, which they did for Hoya, according to information that was brought to LeMagIT’s attention. A negotiator might have initially offered 1.5 million dollars, in vain, then 4 million, still in vain, coming up against an openly intractable cybercriminal, as per sources. 
  

• April 15, 2024: CyberEra and Teiss published a statement given by Hoya which said:
  • “Hoya is also assessing the situation for any material impact on its business performance and assured its customers that it will share more information about the incident as and when available,” 
  • “Hoya’s consumer eyeglass lens unit, Hoya Vision Care Co, apologised to customers on Tuesday for pausing order bookings for lenses due to a group-wide system failure”.
    
• April 24, 2024: Hoya gave an update regarding the restoration of the affected systems: “Our restoration process of Hoya Vision Care systems affected by the incident is substantially complete and the majority of affected labs are now open. We are, however, experiencing slight delays as we work through backlogs and hope to get back to our standard delivery schedule as soon as possible”.