Cult videogame company Capcom pays a big round $0.00 to ransomware crooks

Japanese video game company Capcom has been in the news recently for all the wrong reasons.

The company suffered a ransomware attack earlier this month, apparently at the hands of the Ragnar Locker gang, and has been having a hard time with the criminals since.

Rumours have suggested that the crooks opened the bidding with eight digits’ worth of blackmail, demanding $11,000,000 in cryptocurrency in return for two things:

  • A decryptor to recover files scrambled in the attack.
  • A promise not to reveal corporate data stolen before the files were scrambled.

More precisely, if what we’ve seen is the actual ransom note from the Capcom attack, the crooks aren’t really promising anything.

The wording is more menacing that that, warning in stilted English that: “If No Deal made then all your data will be Published and/or Sold through an auction to third parties.

Ransomware crooks, of course, can never prove that they really do delete the stolen files of victims who pay up; they can’t prove that they didn’t sell them on already; and they certainly aren’t going to be able to reassure any victims that the files they stole haven’t already been stolen from them in turn.

And in this case, the crooks aren’t even bothering to say they wont’t keep the files if they receive the blackmail money.

They’re just saying that they definitely will leak them if they don’t get paid.

Just because criminals can break into your network doesn’t mean they’re any good at securing their own network, or even that they feel they need to bother with security themselves as long as it’s only your files lying around on their servers to be stolen, and not their ill-gotten cryptocurrency.

Well, Capcom updated its breach notes today.

Along with some bad news, there are glimmers of good news that in our opinion reflect well on the company, even though – despite itself being the victim of a very serious crime – it is in the unenviable position of reporting itself to the data protection authorities in both the UK and Japan for a data breach.

The bad news is that, so far as Capcom can tell, the crooks made off with quite a lot of personal information from customers, staff (including ex-employees) and shareholders, as follows:

i. Personal information (customers, business partners, etc.): max of approx. 350,000 items

  Japan: Customer service video game support help desk information (approx. 134,000 items)
     Names, addresses, phone numbers, email addresses
  North America: Capcom Store member information (approx. 14,000 items)
     Names, birthdates, email addresses
  North America: Esports operations website members (approx. 4,000 items)
     Names, email addresses, gender information
  List of shareholders (approx. 40,000 items)
     Names, addresses, shareholder numbers, amount of shareholdings
  Former employees' (including family) information (approx. 28,000 people);
  Applicants' information (approx. 125,000 people)
     Names, birthdates, addresses, phone numbers, email addresses, photos, etc.

ii. Personal information (employees and related parties)

  Human resources information (approx. 14,000 people)

The company also made a rather open-ended admission that it lost “[s]ales data, business partner information, sales documents, development documents, etc.”

Additionally, it was forced to note that “the overall [amount] of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack.”

To be fair to Capcom, it’s possible that the missing logs would show what didn’t happen and therefore that the true breach numbers are lower than listed above.

But the problem that every victim suffers after a breach is that it is also possible that the missing logs might have revealed yet more trouble, and therefore that things were even worse than was first thought.

We don’t think that’s the case here, but anyone who has been breached and later realised that the attackers were inside the network for some time beforehand will remember the sinking feeling of wondering just how much of anything left behind after the attack could be trusted at all, including the logs that remained.

What’s the good news, then?

The good news is that, as far we know, Capcom hasn’t paid the crooks one brass satoshi. (That’s one hundred millionth of a Bitcoin, currently [2020-11-16T20:45:00Z] worth less than two-hundredths of a US cent.)

The crooks, it seems, have vented their anger at this by leaking Capcom data, as threatened…

…but the world seems to be taking this in good humour so far.

As you know, we’ve urged you before not to peek at, and definitely NOT TO SHARE, known-stolen data leaked by ransomware criminals, in order to show a bit of respect to companies that decide to take it on the chin and not to pay off their blackmailers.

But from the discussions we’ve seen on Reddit (take with a pinch of salt if you wish) amongst some of those who have claim to have peeked at the internal company data, which allegedly includes confidential release plans and source code, we’ve seen happy comments including:

Some good stuff in the [REDACTED] design doc. Planned June 2021 release for [REDACTED]. Very pretty graphics. Aiming for older audience while making it still accessible to elementary/middle school age.

Yeah I just read through that and it looks absolutely beautiful.

[REDACTED] in April with demo in March, can’t wait!

[REDACTED coming out] in October is very cool.

What to do?

To keep this sort of disaster out of your network, consider the following:

  • Keep on educating your users about the latest phishing threats. A significant proportion of ransomware attacks begin with a foothold gained by the crooks through fraudulent web links or attachments sent in via email. Consider tools such as Sophos Phish Threat that allow you to test and educate your own users with realistic but fake phishing emails, so they can make their mistakes with you and not with the crooks.
  • Regularly review your remote access portals. Shut down remote access tools you don’t need; pick proper passwords; and require the use of 2FA whenever you can. One forgotten or incorrectly configured RDP server, for example, or one SSH account that’s been phished and isn’t protected by 2FA, might be all the crooks need to initiate their attack.
  • Patch early and patch often. Patches aren’t just for internet facing servers. Criminals idenitify and exploit buggy software inside your network in order to make a bad thing worse by expanding what’s called the surface area of an attack.
  • Don’t ignore the early signs of an attack. If your system logs are showing an unusual pattern of threat detections – notably of malware apparently launched from inside the network, or sysadmin tools turning up where you wouldn’t expect them – don’t delay. Investigate today.
  • Consider getting help if you need it. Experts such as the Sophos Managed Threat Reponse and Rapid Response teams can jump in at short notice when you spot trouble. They can help out (or even take care of the whole thing for you if you are really short of staff or expertise) when you simply don’t the time to investigate in detail yourself.
  • Give your staff a single phone number or email address where they can report trouble. Help your own staff to be the eyes and ears of your security team and they will help you to catch sight of attacks sooner. Ransomware crooks don’t send one phishy email to one person and then move on to another company if it doesn’t work, so the sooner anyone says something to someone, the sooner everyone can be advised and the better the chance than no one will be affected.