Capcom: Ransomware gang used old VPN device to breach the network

Capcom has released a final update about the ransomware attack it suffered last year, detailing how the hackers gained access to the network, compromised devices, and stole personal information belonging to thousands of individuals.

In early November 2020, Ragnar Locker ransomware hit the Japanese game developer and publisher, forcing Capcom to shut down portions of their network.

In typical fashion for human-operated ransomware attacks, the threat actor stole sensitive information before encrypting devices on the network.

Ragnar Locker stated that they had stolen 1TB of Capcom sensitive data and demanded a ransom of $11 million in exchange for not publishing the information and offering a decryption tool.

Compromised VPN device

Today, Capcom announced that restoring the internal systems affected by the attack is almost finished and that the investigation into the incident has completed.

Investigators discovered that Ragnar Locker operators gained access to Capcom’s internal network by targeting an old VPN backup device located at the company’s North American subsidiary in California.

From there, the attacker pivoted to devices in offices in the U.S. and Japan and detonated the file-encrypting malware on November 1st, causing email and file servers to be taken offline. Below is a simplified depiction of the incident.

Capcom says that it was in the process of boosting network defenses when Ragnar Locker threat actor breached its network. The compromised VPN device was on its way out as new models had been installed.

However, on the background of the pandemic pushing for remote work, the old VPN server continued to function as an emergency backup in case of communication problems.

The company’s final assessment regarding the data breach is that 15,649 individuals have been impacted; that’s 766 fewer people than initially announced in January 2021.

The information did not include payment card details, only corporate and personal data that includes names, addresses, phone numbers, and email addresses. Capcom is currently notifying affected individuals.

Ransom not paid

Regarding the ransom, the game maker says that the threat actor left on encrypted systems a message that did not mention any price, just instructions to contact the attacker to engage in negotiations.

Indeed, ransomware attacks these days rarely give price details in the ransom note. Most of the time, these notes give victims step-by-step instructions on how to get to communicate with the attacker to learn the ransom and start negotiating it.

Capcom says that following consultations with law enforcement, it did not engage the Ragnar Locker ransomware operator and made no effort to contact them. This decision made the attacker leak company data a few weeks after the breach.

The investigation results published today show that the game maker was hit at a bad time, when its efforts to transition to better defenses were slowed down by measures to adapt to the COVID-19 pandemic.

Part of Capcom's increased security measures since the cyberattack are a security operations center (SOC) service that keeps an eye on external connections and an endpoint detection and response (EDR) system to check for unusual activity on PCs and servers.