Behind The Capcom Ransomware Attack
A Ransomware Gang Used Old VPN Devices To Breach the Network.
Capcom, the Japanese video game developer and publisher, that has created multi-million-selling game franchises, like Resident Evil, Monster Hunter, Street Fighter, Mega Man, Devil May Cry, had suffered a breach in its corporate networks in November last year.
Beginning in the early morning hours of November 2, 2020 some of the Capcom Group networks experienced issues that affected access to certain systems, including email and file servers.
A ransom note was urging Capcom to negotiate with the hackers in order to free the company’s infected computers, which asked the video game developer to pay $11 million, claiming they’ve encrypted 2,000 company servers.
Yesterday, Capcom has released a final update regarding this ransomware attack and offered more details in regards to how the hackers gained access to the network, compromised devices, and stole personal information belonging to thousands of individuals.
Ragnar Locker stated that they had stolen 1TB of Capcom sensitive data and demanded a ransom of $11 million in exchange for not publishing the information and offering a decryption tool.
Capcom had announced that restoring the internal systems affected by the attack is almost done and the investigation into the incident has completed, with the investigators discovering that Ragnar Locker operators gained access to Capcom’s internal network by targeting an old VPN backup device located at the company’s North American subsidiary in California.
It seems that at the time of the attack, Capcom was in the process of boosting its network defenses, therefore the compromised VPN device was on its way out, but in the background of the pandemic pushing for remote work, the old VPN server continued to function as an emergency backup in case of communication problems.
The company’s final assessment regarding the data breach is that 15,649 individuals have been impacted, meaning that 766 fewer people were affected than initially announced in January 2021.
The leaked information did not include payment card details, only corporate and personal data that includes names, addresses, phone numbers, and email addresses.
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
As for the requested ransom, Capcom said that following consultations with law enforcement, it did not engage Ragnar Locker ransomware operators and made no effort to contact them, this decision being what made the attacker leak company data a few weeks after the breach.
Capcom worked with multiple companies including major security vendors and IT specialist companies to carry out an investigation into the devices and transmission logs affected in the attack. As a result of carrying out this investigation, Capcom has found that the incident occurred as described in the following summary. Further, as stated in previous announcements, the Company has been coordinating both domestically and overseas with law enforcement and related organizations, while also continually reporting and corresponding on a timely basis with the authorities that oversee the protection of personal information in each country.
Part of Capcom’s increased security measures since the cyberattack are represented by a security operations center service that keeps an eye on external connections and an endpoint detection and response system to check for unusual activity on PCs and servers.