Japan video game company Capcom suffers ransomware attack

Japanese video game company Capcom recently suffered a ransomware attack, apparently at the hands of the Ragnar Locker gang, and has been having a hard time with the criminals since then.

As per the rumours the crooks have made demand of $11,000,000 in cryptocurrency in the return for two things:

A decryptor to recover files scrambled in the attack.

A promise not to reveal corporate data stolen before the files were scrambled.

The wording, more menacing that, warning in stilted English that: “If No Deal made then all your data will be Published and/or Sold through an auction to third parties.”

Just because criminals can break into network doesn’t mean they’re any good at securing their own network, or even that they feel they need to bother with security themselves as long as it’s only your files lying around on their servers to be stolen, and not their ill-gotten cryptocurrency.

The bad news is that, so far as Capcom can tell, the crooks made off with quite a lot of personal information from customers, staff (including ex-employees) and shareholders.

The company also made a rather open-ended admission that it lost “[s]ales data, business partner information, sales documents, development documents, etc.”

Additionally, it was forced to note that “the overall [amount] of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack.”

To be fair to Capcom, it’s possible that the missing logs would show what didn’t happen and therefore that the true breach numbers are lower than listed above.

But the problem that every victim suffers after a breach is that it is also possible that the missing logs might have revealed yet more trouble, and therefore that things were even worse than was first thought.

We don’t think that’s the case here, but anyone who has been breached and later realised that the attackers were inside the network for some time beforehand will remember the sinking feeling of wondering just how much of anything left behind after the attack could be trusted at all, including the logs that remained.

Paul Ducklin, Principal Research Scientist at Sophos says

To keep this sort of disaster out of your network, consider the following:

Keep on educating your users about the latest phishing threats. A significant proportion of ransomware attacks begin with a foothold gained by the crooks through fraudulent web links or attachments sent in via email. Consider tools such as Sophos Phish Threat that allow you to test and educate your own users with realistic but fake phishing emails, so they can make their mistakes with you and not with the crooks.

Regularly review your remote access portals. Shut down remote access tools you don’t need; pick proper passwords; and require the use of 2FA whenever you can. One forgotten or incorrectly configured RDP server, for example, or one SSH account that’s been phished and isn’t protected by 2FA, might be all the crooks need to initiate their attack.

Patch early and patch often. Patches aren’t just for internet facing servers. Criminals idenitify and exploit buggy software inside your network in order to make a bad thing worse by expanding what’s called the surface area of an attack.

Don’t ignore the early signs of an attack. If your system logs are showing an unusual pattern of threat detections – notably of malware apparently launched from inside the network, or sysadmin tools turning up where you wouldn’t expect them – don’t delay. Investigate today.

Consider getting help if you need it. Experts such as the Sophos Managed Threat Response and Rapid Response teams can jump in at short notice when you spot trouble. They can help out (or even take care of the whole thing for you if you are really short of staff or expertise) when you simply don't have the time to investigate in detail yourself.

Give your staff a single phone number or email address where they can report trouble. Help your own staff to be the eyes and ears of your security team and they will help you to catch sight of attacks sooner. Ransomware crooks don’t send one phishy email to one person and then move on to another company if it doesn’t work, so the sooner anyone says something to someone, the sooner everyone can be advised and the better the chance than no one will be affected.