[BreachExchange] Capcom: Ransomware gang used old VPN device to breach the network

Wed Apr 14 10:35:24 EDT 2021

https://www.bleepingcomputer.com/news/security/capcom-ransomware-gang-used-old-vpn-device-to-breach-the-network/

Capcom has released a final update about the ransomware attack it
suffered last year, detailing how the hackers gained access to the
network, compromised devices, and stole personal information belonging
to thousands of individuals.

In early November 2020, Ragnar Locker ransomware hit the Japanese game
developer and publisher, forcing Capcom to shut down portions of their
network.

In typical fashion for human-operated ransomware attacks, the threat
actor stole sensitive information before encrypting devices on the
network.

Ragnar Locker stated that they had stolen 1TB of Capcom sensitive data
and demanded a ransom of $11 million in exchange for not publishing
the information and offering a decryption tool.

Compromised VPN device

Today, Capcom announced that restoring the internal systems affected
by the attack is almost finished and that the investigation into the
incident has completed.

Investigators discovered that Ragnar Locker operators gained access to
Capcom’s internal network by targeting an old VPN backup device
located at the company’s North American subsidiary in California.

>From there, the attacker pivoted to devices in offices in the U.S. and
Japan and detonated the file-encrypting malware on November 1st,
causing email and file servers to be taken offline. Below is a
simplified depiction of the incident.

Capcom says that it was in the process of boosting network defenses
when Ragnar Locker threat actor breached its network. The compromised
VPN device was on its way out as new models had been installed.

However, on the background of the pandemic pushing for remote work,
the old VPN server continued to function as an emergency backup in
case of communication problems.

The company’s final assessment regarding the data breach is that
15,649 individuals have been impacted; that’s 766 fewer people than
initially announced in January 2021.

The information did not include payment card details, only corporate
and personal data that includes names, addresses, phone numbers, and
email addresses. Capcom is currently notifying affected individuals.

Ransom not paid

Regarding the ransom, the game maker says that the threat actor left
on encrypted systems a message that did not mention any price, just
instructions to contact the attacker to engage in negotiations.

Capcom ransom note created in attack

Indeed, ransomware attacks these days rarely give price details in the
ransom note. Most of the time, these notes give victims step-by-step
instructions on how to get to communicate with the attacker to learn
the ransom and start negotiating it.

Capcom says that following consultations with law enforcement, it did
not engage the Ragnar Locker ransomware operator and made no effort to
contact them. This decision made the attacker leak company data a few
weeks after the breach.

The investigation results published today show that the game maker was
hit at a bad time, when its efforts to transition to better defenses
were slowed down by measures to adapt to the COVID-19 pandemic.

Part of Capcom's increased security measures since the cyberattack are
a security operations center (SOC) service that keeps an eye on
external connections and an endpoint detection and response (EDR)
system to check for unusual activity on PCs and servers.