Gaming Company Confirms Ragnar Locker Ransomware Attack

Breach Notification , Cybercrime as-a-service , Endpoint Security

Capcom Says Over 350,000 Customer, Business Records Possibly Compromised

Gaming Company Confirms Ragnar Locker Ransomware Attack
(Photo: Wikipedia)

Japanese computer game company Capcom acknowledged this week that a November security incident was a Ragnar Locker ransomware attack that resulted in about 350,000 customer and company records potentially compromised, including sales and shareholder data.

See Also: Ignite ’20: A Conference Preview

The ransomware attack is now under investigation, but the company is providing some details publicly.

Capcom says it was hit with a “customized ransomware attack” following unauthorized access to its network, according to the update posted Monday. The company has divided the compromised information into two sections, verified and potentially compromised with a small number of records falling into the former category and about 350,000 in the latter bucket.

“Any targeted attack will also be customized in some way to make it more successful and, in this case, the customization was to look for certain data, delete certain logs and steal specific information,” says Laurence Pitt, technical security lead with the security company Juniper Networks. “This level of customization means that the group – Ragnar Locker – who admitted to the breach, will likely have a template that they adapt for other online gaming companies and businesses.”

Confirmed Data Loss

Capcom, which makes the popular game Resident Evil, notes that the ransomware attack was first noticed by its internal security team on Nov. 2, when its systems suffered connectivity issues. The IT team shut down the network to conduct an investigation and found a note from Ragnar Locker demanding an unspecified ransom. The company then contacted local law enforcement.

The compromised company data verified by Capcom involves only nine current and former employees, sales reports and company financial data. This employee data includes names, signatures, addresses and passport information for former workers with current staffers just having their name and information held by the human resources department compromised, according to the update.

Potentially Compromised Records

Apart from the confirmed employee data, the videogame maker also notes that about 140,000 records belonging to the company’s Japanese customer service video game support help desk may have been stolen or compromised. This would include personal information such as names, addresses, phone numbers and email addresses.

From the North America region, the hackers may have accessed information of about 14,000 items of Capcom Store members and about 4,000 member records of its Esports website that may include names, birthdates, email addresses and gender information, according to the statement.

Capcom also suspects that the attackers gained access the records of about 40,000 corporate shareholders that could include names, addresses, shareholder numbers and amount of shareholdings, according to the update.

The report has also notes the hackers may have the personal information of about 28,000 former employees including their families with access to information of over 125,000 applicants, Capcom reports.

The company also says human resources information of about 14,000 individuals while also targeted corporate information such as sales data, business partner information, sales documents and development documents may be involved.

At this time, it does not appear that any payment or credit card has been compromised, according to the update.

Following the attack, Capcom says that it has contacted various government agencies that oversee citizens’ privacy and rights following a security incident, including the Personal Information Protection Commission in Japan and the Information Commissioner’s Office in the U.K., which enforces the EU’s General Data Protection Regulation.

The Attack

Capcom has not stated the ransom amount demanded, but the gang behind Ragnar Locker is known to use extortion tactics to pressure its victims into paying (see: Ransomware Gang Devises Innovative Extortion Tactic)

A company spokesperson could not be immediately reached for additional comments or details.

While credit and payment card data does not appear to have been compromised, the other information the attackers possibly exfiltrated is potentially quite valuable says Saryu Nayyar, CEO of the security firm Gurucul.

“Gaming credentials are valuable to some people for a number of reasons,” Nayyar says. “First, some games allow the purchase of in-game items with real-world money, which means there is some real-world value there for people who buy and sell those items. Some particularly valuable items can sell for hundreds of dollars, which makes account access potentially valuable.”

The information can also be used for spear-phishing or social-engineering efforts in other attacks, Nayyar notes.