Breach Notification , Cybercrime as-a-service , Endpoint Security
Gaming Company Confirms Ragnar Locker Ransomware Attack
Capcom Says Over 350,000 Customer and Business Records Possibly CompromisedJapanese computer game company Capcom acknowledged this week that a November security incident was a Ragnar Locker ransomware attack that resulted in about 350,000 customer and company records, including sales and shareholder data, potentially being compromised.
See Also: Gartner Guide for Digital Forensics and Incident Response
The ransomware attack is now under investigation, but the company is providing some details.
Capcom says it was hit with a "customized ransomware attack" following unauthorized access to its network, according to an update posted Monday. The company has divided the compromised information into two sections - verified and potentially compromised - with a small number of records falling into the former category and about 350,000 into the latter one.
"Any targeted attack will also be customized in some way to make it more successful and, in this case, the customization was to look for certain data, delete certain logs and steal specific information," says Laurence Pitt, technical security lead with the security company Juniper Networks. "This level of customization means that the group - Ragnar Locker - who admitted to the breach will likely have a template that they adapt for other online gaming companies and businesses."
Confirmed Data Loss
Capcom, which makes the popular game Resident Evil, notes that the ransomware attack was first noticed by its internal security team on Nov. 2, when its systems suffered connectivity issues. The IT team shut down the network to conduct an investigation and found a note from Ragnar Locker demanding an unspecified ransom. The company then contacted local law enforcement officials.
The compromised company data verified by Capcom involves only nine current and former employees, sales reports and company financial data. This employee data includes names, signatures, addresses and passport information for former workers. For current staffers, just their names and information held by the human resources department was compromised, according to the update.
Potentially Compromised Records
Apart from the confirmed employee data, the video game maker also notes that about 140,000 records belonging to the company's Japanese customer service video game support help desk may have been stolen or compromised. This would include personal information such as names, addresses, phone numbers and email addresses.
From the North America region, the hackers may have accessed information on about 14,000 Capcom Store members and records for about 4,000 members of its Esports website that may include names, birthdates, email addresses and gender, according to the statement.
Capcom also suspects that the attackers gained access to the records of about 40,000 corporate shareholders that could include names, addresses, shareholder numbers and amount of shareholdings, the update states.
The report also notes that the hackers may have obtained the personal information of about 28,000 former employees and their families and accessed information of over 125,000 applicants, Capcom reports.
The company also says human resources information on about 14,000 individuals and corporate information - such as sales data, business partner information, sales documents and development documents - may also have been exposed.
At this time, it does not appear that any payment or credit card information has been compromised, according to the update.
Following the attack, Capcom says, it contacted government agencies, including the Personal Information Protection Commission in Japan and the Information Commissioner's Office in the U.K., which enforces the EU's General Data Protection Regulation.
The Attack
Capcom has not stated the ransom amount demanded, but the gang behind Ragnar Locker is known to use extortion tactics to pressure its victims into paying (see: Ransomware Gang Devises Innovative Extortion Tactic).
A company spokesperson could not be immediately reached for additional comments or details.
While credit and payment card data does not appear to have been compromised, the other information the attackers possibly exfiltrated is potentially quite valuable, says Saryu Nayyar, CEO of the security firm Gurucul.
"Gaming credentials are valuable to some people for a number of reasons," Nayyar says. "First, some games allow the purchase of in-game items with real-world money, which means there is some real-world value there for people who buy and sell those items. Some particularly valuable items can sell for hundreds of dollars, which makes account access potentially valuable."
The information can also be used for spear-phishing or social engineering efforts in other attacks, Nayyar notes.