The Blackfield ransomware gang is demanding a $2 million ransom from Nidec Corporation, the Japanese electric motor giant, after compromising the servers of its Taiwanese subsidiary Nidec Chaun Choung Technology. Nidec, which reports $17.2 billion in annual revenue, employs roughly 100,000 people, and operates in more than 40 countries, confirmed the intrusion in a public statement. With damage first detected on June 22, 2026, and a confirmed possibility of data exfiltration, this incident places one of the world's leading manufacturers of micro-precision and heavy-duty motors squarely in the crosshairs of a double-extortion operation.
What Happened
Nidec disclosed that ransomware-originated damage was confirmed in part of Nidec Chaun Choung Technology's server infrastructure on Monday, June 22, 2026. In response, the company says it took emergency containment measures, including shutting down the affected server and isolating the network to prevent lateral spread.
The Blackfield ransomware gang has since claimed responsibility, posting Nidec to its extortion portal and giving the company more than 15 days to respond and enter negotiations. The threat actor is threatening to publish or sell the stolen data if its demands are not met. To delete the allegedly stolen information, Blackfield is demanding $2 million. The group has also monetized urgency: for $5,000 it will extend the leak deadline by a single day, and for $400,000 it is offering any buyer immediate download access to the full data set.
Nidec stated it is still investigating how production, shipping, and other business operations may be affected, but does not expect the fallout to reach other Nidec Corporation or Nidec Group companies. The company also acknowledged a "possibility of information leak," while noting that no personal or confidential information has been confirmed as leaked online to date.
What Was Taken
Nidec has confirmed a possibility of information leak but has not validated the specifics of what was exfiltrated. Blackfield, for its part, has published samples to its leak portal showing internal file structures and assorted documents as proof of breach. BleepingComputer reported it could not independently verify the validity of the leaked material.
The volume and sensitivity of the stolen data remain unconfirmed. However, the tiered pricing structure, $2 million for deletion, $400,000 for buyer access, and $5,000 per day of delay, signals that Blackfield believes the data set holds meaningful commercial value, whether intellectual property tied to motor design, supply chain records, or subsidiary business documents.
Why It Matters
Nidec sits at a critical chokepoint in global manufacturing. Its motors range from micro-precision components inside phones and hard drives to heavy-duty units powering robotics, elevators, and large HVAC systems. The company also designs motors for electric vehicles, electric power steering, and advanced driver-assistance systems, making it a quiet but essential supplier deep inside the automotive and computing supply chains.
A compromise at a subsidiary of an organization this size is a reminder that attackers increasingly target the softer edges of a corporate group rather than the hardened core. This is also not Nidec's first ransomware event. In October 2024, the company disclosed a breach of its Vietnam-based Nidec Precision division that exposed over 50,000 sensitive files, an incident claimed separately by both the 8Base and Everest gangs. A repeat victimization within roughly 18 months suggests persistent attacker interest and underscores the difficulty of securing a sprawling, multinational subsidiary footprint.
The Attack Technique
The precise initial access vector has not been publicly disclosed. Nidec's statement indicates damage was confirmed on a specific server at Nidec Chaun Choung Technology before containment, consistent with a typical ransomware kill chain: initial foothold, lateral movement, data staging and exfiltration, and finally encryption or extortion.
Blackfield is operating a double-extortion model, pairing data theft with the threat of public exposure rather than relying on encryption alone to force payment. The structured pricing for deletion, delay, and direct buyer sale is characteristic of modern extortion-as-a-service operations that treat stolen data as a tradable commodity. Until Nidec's forensic investigation concludes, defenders should treat the entry point as unknown and assume common vectors such as exposed remote services, compromised credentials, or unpatched edge infrastructure.
What Organizations Should Do
- Segment subsidiaries from the parent network. Treat regional subsidiaries as distinct trust zones so a breach at one entity cannot pivot into the broader group, exactly the boundary Nidec is now relying on to contain impact.
- Monitor for data staging and exfiltration. Deploy detection for large outbound transfers, unusual archiving activity, and access to file shares, since double-extortion crews steal before they encrypt.
- Harden and inventory external attack surface. Audit internet-facing servers, VPNs, and remote access tooling for unpatched vulnerabilities and exposed services that commonly serve as ransomware entry points.
- Enforce phishing-resistant MFA and least privilege. Reduce the value of stolen or guessed credentials and limit lateral movement once an attacker gains an initial foothold.
- Maintain and test isolated backups. Ensure offline, immutable backups exist and rehearse restoration so operations can recover without negotiating with extortionists.
- Prepare an extortion response plan in advance. Define legal, communications, and decision-making playbooks for leak threats and tiered ransom demands before an incident forces rushed choices under a countdown.
Sources: Blackfield ransomware asks Nidec Corporation for $2 million ransom