More than 200 companies in Japan paid ransomware attackers to recover their encrypted data, yet over 60% of those firms still failed to restore their systems, according to a January survey by the Japan Institute for Promotion of Digital Economy and Community.
The institute surveyed 1,107 companies, of which 507 reported being hit by ransomware attacks – a form of cyberattack in which hackers block access to data and demand payment to restore it. Of those 507, 222 firms paid the ransom. Among the paying firms, 139 were unable to recover their data or systems, while 83 successfully restored them.
By contrast, 141 companies reported restoring their data without paying.
The institute said the results underscore the reality that “paying a ransom does not guarantee data recovery.”
Financial losses among affected firms varied. About half reported losses ranging from ¥1 million (US$6,300) to less than ¥50 million, covering ransom payments and system recovery costs. Some 16% reported little to no financial damage, while 4.3% suffered losses of ¥1 billion or more.
Restoration timelines also differed widely. Among affected companies, 176 reported recovery taking between one week and one month. Some firms, however, said their data had not been restored even after three months.
Cybersecurity experts have urged companies not to pay ransoms. In an interview with NHK News, Kobe University professor Morii Masakatsu warned that payment offers no guarantee of full recovery and that hackers may still leak stolen data or demand additional payments. He called on firms to adopt basic security measures and maintain offline backups.
Yukimi Sota, of the Japanese subsidiary of US cybersecurity firm Proofpoint, echoed similar advice. “It is also vital to back up your data regularly to minimize damage,” Sota said, also recommending that companies keep their security software up to date.
The survey findings come against a backdrop of worsening ransomware activity across Japan. Japanese police confirmed 226 ransomware cases in 2025 – the second-highest annual total on record – a rise of four from the prior year, according to the National Police Agency (NPA). The Japan Times reported that, while roughly 60% of victims were small and midsize companies, large firms were not spared, with food and beverage giant Asahi Group Holdings and office goods supplier Askul among those hit.
Among the 149 cases in which the virus strain was identified, Qilin – the ransomware used in the Asahi Group attack – was the most prevalent, accounting for 32 cases, followed by LockBit with 19. The NPA also noted that prolonged damage tended to result in higher recovery costs.
Japan’s top cybersecurity official has also raised alarms. At the CYDEF 2025 conference, the country’s cyber chief said the severity and volume of attacks had increased significantly, with an internet-connected device facing some form of malicious communication every 13 seconds.
