Sophos Cloud Optix
Japanese video game company Capcom has been in the news recently for all the wrong reasons.
The company suffered a ransomware attack earlier this month, apparently at the hands of the Ragnar Locker gang, and has been having a hard time with the criminals since.
Rumours have suggested that the crooks opened the bidding with eight digits’ worth of blackmail, demanding $11,000,000 in cryptocurrency in return for two things:
- A decryptor to recover files scrambled in the attack.
- A promise not to reveal corporate data stolen before the files were scrambled.
More precisely, if what we’ve seen is the actual ransom note from the Capcom attack, the crooks aren’t really promising anything.
The wording is more menacing that that, warning in stilted English that: “If No Deal made then all your data will be Published and/or Sold through an auction to third parties.”
Ransomware crooks, of course, can never prove that they really do delete the stolen files of victims who pay up; they can’t prove that they didn’t sell them on already; and they certainly aren’t going to be able to reassure any victims that the files they stole haven’t already been stolen from them in turn.
And in this case, the crooks aren’t even bothering to say they wont’t keep the files if they receive the blackmail money.
They’re just saying that they definitely will leak them if they don’t get paid.
Just because criminals can break into your network doesn’t mean they’re any good at securing their own network, or even that they feel they need to bother with security themselves as long as it’s only your files lying around on their servers to be stolen, and not their ill-gotten cryptocurrency.
Well, Capcom updated its breach notes today.
Along with some bad news, there are glimmers of good news that in our opinion reflect well on the company, even though – despite itself being the victim of a very serious crime – it is in the unenviable position of reporting itself to the data protection authorities in both the UK and Japan for a data breach.
The bad news is that, so far as Capcom can tell, the crooks made off with quite a lot of personal information from customers, staff (including ex-employees) and shareholders, as follows:
i. Personal information (customers, business partners, etc.): max of approx. 350,000 items
Japan: Customer service video game support help desk information (approx. 134,000 items)
Names, addresses, phone numbers, email addresses
North America: Capcom Store member information (approx. 14,000 items)
Names, birthdates, email addresses
North America: Esports operations website members (approx. 4,000 items)
Names, email addresses, gender information
List of shareholders (approx. 40,000 items)
Names, addresses, shareholder numbers, amount of shareholdings
Former employees' (including family) information (approx. 28,000 people);
Applicants' information (approx. 125,000 people)
Names, birthdates, addresses, phone numbers, email addresses, photos, etc.
ii. Personal information (employees and related parties)
Human resources information (approx. 14,000 people)
The company also made a rather open-ended admission that it lost “[s]ales data, business partner information, sales documents, development documents, etc.”
Additionally, it was forced to note that “the overall [amount] of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack.”
To be fair to Capcom, it’s possible that the missing logs would show what didn’t happen and therefore that the true breach numbers are lower than listed above.
But the problem that every victim suffers after a breach is that it is also possible that the missing logs might have revealed yet more trouble, and therefore that things were even worse than was first thought.
We don’t think that’s the case here, but anyone who has been breached and later realised that the attackers were inside the network for some time beforehand will remember the sinking feeling of wondering just how much of anything left behind after the attack could be trusted at all, including the logs that remained.
What’s the good news, then?
The good news is that, as far we know, Capcom hasn’t paid the crooks one brass satoshi. (That’s one hundred millionth of a Bitcoin, currently [2020-11-16T20:45:00Z] worth less than two-hundredths of a US cent.)
The crooks, it seems, have vented their anger at this by leaking Capcom data, as threatened…
…but the world seems to be taking this in good humour so far.
As you know, we’ve urged you before not to peek at, and definitely NOT TO SHARE, known-stolen data leaked by ransomware criminals, in order to show a bit of respect to companies that decide to take it on the chin and not to pay off their blackmailers.
But from the discussions we’ve seen on Reddit (take with a pinch of salt if you wish) amongst some of those who have claim to have peeked at the internal company data, which allegedly includes confidential release plans and source code, we’ve seen happy comments including:
Some good stuff in the [REDACTED] design doc. Planned June 2021 release for [REDACTED]. Very pretty graphics. Aiming for older audience while making it still accessible to elementary/middle school age.
Yeah I just read through that and it looks absolutely beautiful.
[REDACTED] in April with demo in March, can’t wait!
[REDACTED coming out] in October is very cool.
What to do?
To keep this sort of disaster out of your network, consider the following:
- Keep on educating your users about the latest phishing threats. A significant proportion of ransomware attacks begin with a foothold gained by the crooks through fraudulent web links or attachments sent in via email. Consider tools such as Sophos Phish Threat that allow you to test and educate your own users with realistic but fake phishing emails, so they can make their mistakes with you and not with the crooks.
- Regularly review your remote access portals. Shut down remote access tools you don’t need; pick proper passwords; and require the use of 2FA whenever you can. One forgotten or incorrectly configured RDP server, for example, or one SSH account that’s been phished and isn’t protected by 2FA, might be all the crooks need to initiate their attack.
- Patch early and patch often. Patches aren’t just for internet facing servers. Criminals idenitify and exploit buggy software inside your network in order to make a bad thing worse by expanding what’s called the surface area of an attack.
- Don’t ignore the early signs of an attack. If your system logs are showing an unusual pattern of threat detections – notably of malware apparently launched from inside the network, or sysadmin tools turning up where you wouldn’t expect them – don’t delay. Investigate today.
- Consider getting help if you need it. Experts such as the Sophos Managed Threat Reponse and Rapid Response teams can jump in at short notice when you spot trouble. They can help out (or even take care of the whole thing for you if you are really short of staff or expertise) when you simply don’t the time to investigate in detail yourself.
- Give your staff a single phone number or email address where they can report trouble. Help your own staff to be the eyes and ears of your security team and they will help you to catch sight of attacks sooner. Ransomware crooks don’t send one phishy email to one person and then move on to another company if it doesn’t work, so the sooner anyone says something to someone, the sooner everyone can be advised and the better the chance than no one will be affected.
Good for them! If there’s no money in ransomware, there will be no more ransomware.
“Cult” videogame company? Capcom? Not sure about that one Paul. Good read otherwise! Glad they didn’t pay these scumbags.
Street Fighter. That’s cultic enough, surely? (You know what? I’m going to ask Doug when we record this week’s podcast 🙂)
Something being “cult” usually implies that they are less well known but very popular within a certain small group. Capcom is one of the most well known video game companies in the industry and have been around since the arcade days. Street Fighter is just one of many large franchises they own.
As far as I know, the name Capcom is short for “capsule computers”, or what in American English you would call “arcade consoles”.
I still think it’s allowed for a mainstream company that is very well known to have a “cult following”. (If is is not then I suspect a lot of Mac fans will feel relieved because it means they can no longer be accused of belonging to a cult, given how mainstream Apple is.)
Anyway, I am taking cult to mean the nature of the following and not its size. Podast recording is in a few hours so I shall be asking Doug for confirmation.
No financials, no credit cards, no passwords. No problem.
I wouldn’t say *no* problem… and leaking shareholder details can be considered “financials”.
HR records for 1000s of staff sounds worrying – you can imagine that includes lots of data that would help with identity theft. Remember that you can easily change your password, and you can get a new credit card, but details like home address are much harder to change, while SSNs are almost impossible and you are stuck with your DOB forever…
Isn’t it also possible that they DID pay them but are saying that they didn’t?
They are still in business, right?
I imagine if that happened it would be hard to hide from the various regulators…
…but in a roundabout way it might work out quite well if they paid and the crooks leaked the data anyway. That would probably be a massive disincentive to paying up for future victims.