Capcom Identifies Older VPN Device as Entry Point of November's Ransomware Attack
posted on by Alex Mateo
CAPCOM revealed on Tuesday the results of its investigation on the ransomware attack on its network in November.
According to IT specialists, a cyberattack was carried out on an older backup Virtual Private Network (VPN) device that had been maintained at Capcom U.S.A., CAPCOM's North American subsidiary, in October. CAPCOM had already introduced a different, new model of VPN devices. However, the subsidiary kept one older VPN device as an emergency backup, due to burden on the company's network from the spread of the new coronavirus disease (COVID-19). The older VPN device was the target of the attack, and has since been removed from the network.
Some devices were compromised at both the CAPCOM's U.S. and Japanese offices through the affected old VPN device, which led to information theft. Following the final stage of the attack, some devices at its offices were infected with ransomware on November 1 beginning around 11:00 p.m. JST, resulting in the files on affected devices being encrypted. Beginning in the early morning hours of November 2, some of the CAPCOM Group networks experienced issues that affected access to certain systems, including email and file servers.
CAPCOM has taken a variety of measures to strengthen existing security with the aim of preventing reoccurrence. This includes implementing a Security Operation Center (SOC) service, which continuously monitors systems and networks, and Endpoint Detection and Response (EDR), which allows for early detection of unusual activity on devices.
The company revealed that the cyberattacker left a message file on the devices that were infected with ransomware containing contact information for negotiation but no mention of a ransom amount. CAPCOM decided not to engage the cyberattacker in negotiation.
CAPCOM confirmed in January that personal information maintained by the CAPCOM Group has been compromised following the customized ransomware attack. CAPCOM had announced on November 16 that personal information of nine people had been compromised, and the company had then reported with an investigation update that personal information of an additional 16,406 people has been compromised.
With its latest update, CAPCOM confirmed a lowered total of 15,649 people have had their personal information — including name, address, phone number, email address, and HR information — compromised from the unauthorized network attack.
CAPCOM's internal systems have mostly recovered, and its business operations have returned to normal. The company reported that there have been no changes to CAPCOM Group's consolidated business results for the fiscal year ending March 31.
CAPCOM had announced on November 4 that some of the company group's networks experienced issues due to unauthorized access from a third party that affected access to its systems, including email and file servers, starting on November 2 in the early morning. The company halted some internal network operations. CAPCOM verified that it discovered a message from a criminal organization "Ragnar Locker" and contacted the Osaka Prefectural Police after confirming that the group was demanding ransom money. The company discovered compromised items on November 12.
As of November 16, CAPCOM has reported network issues to the supervisory authority under General Data Protection Regulation (Information Commissioner's Office in the U.K.) and the Personal Information Protection Commission in Japan. The company has also implemented protective software, shut down suspicious transmissions, and carried out server reconstruction. CAPCOM hired a third-party security company, and it has arranged a reporting and consulting structure with a major software company, security specialist vendor, and law offices.
CAPCOM had previously stated that the attack may have compromised additional personal and corporate information. The potentially compromised personal data includes Japanese customer service video game support help desk information, North American CAPCOM Store and Esports operations website member information, a shareholder list, and personal information on former employees, their families, applicants, and human resources workers. Potentially compromised corporate data includes sales data, business partner information, sales documents, and development documents. CAPCOM verified that none of this data contains credit card information.
CAPCOM will continue coordinating with law enforcement authorities in the U.S. and Japan, a major information technology security specialist company, and external security experts.
The incident has not affected CAPCOM's online game connections or website access. The company apologized for any concerns regarding this incident, and it stated that it believes any effect on CAPCOM Group's consolidated business results for this fiscal year will be negligible.