Earlier this week the Japanese game developer, Capcom, released an update on the cyberattack it suffered late last year. The update provides results of the investigation into the ransomware attack, which concluded that hackers gained access to Capcom systems via an outdated VPN device.
Late last year, the ransomware group Ragnar Locker conducted a cyberattack against the Japanese game developer and publisher, Capcom. The hit came in the form of a ransomware attack that affected Capcom’s internal systems including email and file servers.
As is usual with ransomware attacks these days, Ragnar Locker employed the double extortion method against Capcom. The group stole personal information belonging to customers and employees, as well as company data. They also stole data belonging to Capcom’s business partners before encrypting their systems and leaving a ransomware note. According to Capcom, the note didn’t mention a ransom amount. It just provided instructions on how to contact the group to start negotiations.
However, in Capcom’s latest update, the firm states it made no effort to contact the hackers, as per law enforcement advice. Instead, the firm focused on recovering its compromised data, which the update confirms involved 15,640 accounts. This figure is down by 775 accounts from the 16,415 accounts originally reported.
Furthermore, the compromised data didn’t contain any customer credit card information, as this information is not held on Capcom’s systems. The stolen personal data includes names, addresses, phone numbers and email addresses associated with the compromised accounts. Unfortunately, Capcom’s decision not to engage in negotiations led Ragnar Locker to start leaking the firm’s stolen data a few of weeks after the breach.
Cyberattack Attributed to Outdated VPN
Capcom’s update also states that they have almost completed restoring the internal systems affected by the cyberattack. And that the investigation into the incident has been completed. The investigation revealed that Ragnar Locker breached Capcom’s systems through an outdated VPN device located in the firm’s Californian subsidiary. The ransomware group then leveraged this entry point to access devices located in other US offices and in Japan.
According to Capcom, the firm had been in the process of updating its worldwide networks when Ragnar Locker attacked. The firm had already updated its VPN devices as they were outdated. All except for the one used by the ransomware group. This device was left on the network as an emergency backup to help manage the increased load caused by the Covid-19 pandemic. It was being used by staff working remotely from home.
VPNs are utilized to provide users extra security, privacy and freedom while online. However, if not kept up to date, they can be used against users and firms, as occurred in this instance. Unfortunately, due to the pandemic, Capcom did not implement its defensive measures properly. And provided a hole in their defenses through which Ragnar Locker was able to attack. Needless to say, the outdated VPN device has since been removed from Capcom’s network.
Capcom Increases Security Measures
Since the cyberattack, Capcom has increased its security measures so as to prevent any reoccurrence of the incident. Security measures are being put in place at both a technical and at an organizational level.
At a technical level, new monitoring and early warning systems have been implemented. This includes a Security Operation Center (SOC) that will “monitor external connections around the clock”. And an Endpoint Detection and Response (EDR) system to provide early detection of unusual activity on devices within its network. Capcom has also undertaken a review of all its VPNs and has improved management methods for these and other devices.
At an organizational level, Capcom has created a new section and committee to deal with the firm’s cybersecurity. A new Information Technology Security Oversight Committee (ITSOC) has been setup as well as an Information Technology Surveillance (ITS) section. The ITS is tasked with gathering cybersecurity information and building knowledge of preventative measures so as to be able to make recommendations to the ITSOC.