Perpetual IT

Japanese video game company Capcom has been in the news recently for all the wrong reasons.

The company suffered a ransomware attack earlier this month, apparently at the hands of the Ragnar Locker gang, and has been having a hard time with the criminals since.

Rumours have suggested that the crooks opened the bidding with eight digits’ worth of blackmail, demanding $11,000,000 in cryptocurrency in return for two things:

• A decryptor to recover files scrambled in the attack.
• A promise not to reveal corporate data stolen before the files were scrambled.

More precisely, if what we’ve seen is the actual ransom note from the Capcom attack, the crooks aren’t really promising anything.

The wording is more menacing that that, warning in stilted English that: “If No Deal made then all your data will be Published and/or Sold through an auction to third parties.”

Ransomware crooks, of course, can never prove that they really do delete the stolen files of victims who pay up; they can’t prove that they didn’t sell them on already; and they certainly aren’t going to be able to reassure any victims that the files they stole haven’t already been stolen from them in turn.

And in this case, the crooks aren’t even bothering to say they wont’t keep the files if they receive the blackmail money.

They’re just saying that they definitely will leak them if they don’t get paid.

Just because criminals can break into your network doesn’t mean they’re any good at securing their own network, or even that they feel they need to bother with security themselves as long as it’s only your files lying around on their servers to be stolen, and not their ill-gotten cryptocurrency.

Well, Capcom updated its breach notes today.

Inamongst some bad news, there are glimmers of good news that in our opinion reflect well on the company, even though – despite itself being the victim of a very serious crime – it is in the unenviable position of reporting itself to the data protection authorities in both the UK and Japan for a data breach.

The bad news is that, so far as Capcom can tell, the crooks made off with quite a lot of personal information from customers, staff (including ex-employees) and shareholders, as follows:

i. Personal information (customers, business partners, etc.): max of approx. 350,000 items Japan: Customer service video game support help desk information (approx. 134,000 items) Names, addresses, phone numbers, email addresses North America: Capcom Store member information (approx. 14,000 items) Names, birthdates, email addresses North America: Esports operations website members (approx. 4,000 items) Names, email addresses, gender information List of shareholders (approx. 40,000 items) Names, addresses, shareholder numbers, amount of shareholdings Former employees' (including family) information (approx. 28,000 people); Applicants' information (approx. 125,000 people) Names, birthdates, addresses, phone numbers, email addresses, photos, etc. ii. Personal information (employees and related parties) Human resources information (approx. 14,000 people)

The company also made a rather open-ended admission that it lost “[s]ales data, business partner information, sales documents, development documents, etc.”

Additionally, it was forced to note that “the overall [amount] of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack.”

To be fair to Capcom, it’s possible that the missing logs would show what didn’t happen and therefore that the true breach numbers are lower than listed above.

But the problem that every victim suffers after a breach is that it is also possible that the missing logs might have revealed yet more trouble, and therefore that things were even worse than was first thought.

We don’t think that’s the case here, but anyone who has been breached and later realised that the attackers were inside the network for some time beforehand will remember the sinking feeling of wondering just how much of anything left behind after the attack could be trusted at all, including the logs that remained.

What’s the good news, then?

The good news is that, as far we know, Capcom hasn’t paid the crooks one brass satoshi. (That’s one hundred millionth of a Bitcoin, currently [2020-11-16T20:45:00Z] worth less than two-hundredths of a US cent.)

The crooks, it seems, have vented their anger at this by leaking Capcom data, as threatened…

…but the world seems to be taking this in good humour so far.

As you know, we’ve urged you before not to peek at, and definitely NOT TO SHARE, known-stolen data leaked by ransomware criminals, in order to show a bit of respect to companies that decide to take it on the chin and not to pay off their blackmailers.

But from the discussions we’ve seen on Reddit (take with a pinch of salt if you wish) amongst some of those who have claim to have peeked at the internal company data, which allegedly includes confidential release plans and source code, we’ve seen happy comments including:

Some good stuff in the [REDACTED] design doc. Planned June 2021 release for [REDACTED]. Very pretty graphics. Aiming for older audience while making it still accessible to elementary/middle school age.

Yeah I just read through that and it looks absolutely beautiful.

[REDACTED] in April with demo in March, can’t wait!

[REDACTED coming out] in October is very cool.

What to do?

To keep this sort of disaster out of your network, consider the following:

• Keep on educating your users about the latest phishing threats. A significant proportion of ransomware attacks begin with a foothold gained by the crooks through fraudulent web links or attachments sent in via email. Consider tools such as Sophos Phish Threat that allow you to test and educate your own users with realistic but fake phishing emails, so they can make their mistakes with you and not with the crooks.
• Regularly review your remote access portals. Shut down remote access tools you don’t need; pick proper passwords; and require the use of 2FA whenever you can. One forgotten or incorrectly configured RDP server, for example, or one SSH account that’s been phished and isn’t protected by 2FA, might be all the crooks need to initiate their attack.
• Patch early and patch often. Patches aren’t just for internet facing servers. Criminals idenitify and exploit buggy software inside your network in order to make a bad thing worse by expanding what’s called the surface area of an attack.
• Don’t ignore the early signs of an attack. If your system logs are showing an unusual pattern of threat detections – notably of malware apparently launched from inside the network, or sysadmin tools turning up where you wouldn’t expect them – don’t delay. Investigate today.
• Consider getting help if you need it. Experts such as the Sophos Managed Threat Reponse and Rapid Response teams can jump in at short notice when you spot trouble. They can help out (or even take care of the whole thing for you if you are really short of staff or expertise) when you simply don’t the time to investigate in detail yourself.
• Give your staff a single phone number or email address where they can report trouble. Help your own staff to be the eyes and ears of your security team and they will help you to catch sight of attacks sooner. Ransomware crooks don’t send one phishy email to one person and then move on to another company if it doesn’t work, so the sooner anyone says something to someone, the sooner everyone can be advised and the better the chance than no one will be affected.

Did you know you can join us for a live cybersecurity lecture every Friday?

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be on air – it’s usually somewhere between 18:00 and 19:00 UK time, which is late morning/early afternoon on the West/East coast of North America.

(Note that you don’t need a Facebook account to watch our live streams, but you will need to login if you want to ask questions or post comments.)

We also upload the videos to our YouTube channel – here’s our latest video on mobile privacy:

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

Thanks for watching… hope to see you online later this week!

If you are a regular Naked Security reader, you’ll know that we generally steer clear of publishing content that deals specifically with Sophos products and services.

That’s because our primary goal on this site is to help all of you learn more about cybersecurity by offering information and tips that work whatever operating system, apps and threat protection software you use.

Of course, we happily link from here to content that is all about Sophos, both in the articles and in the comments.

That’s not only because we want to make sure that Sophos customers know how to get the best out of our own products and services, but also because understanding how we organise our threat research, and why our products work the way they do, is more than just a fascinating story.

Knowing why our products have evolved as they have, from the very people who have evolved them, provides a powerful insight into how to deal with today’s fast-shifting, ever-changing threats.

Ten years ago, if you automatically detected and blocked a malware sample on one of the computers on your network, you’d probably – and quite reasonably – consider that a job well done.

If you were also able to remove that threat automatically before any harm was done, you’d probably consider that to be the end of the incident and you would move on to the next problem.

These days, however, we know that some malware samples that show up and “get blocked” are merely the beginning, and not the end, of a new attack.

That’s because ransomware criminals, amongst others, often work from inside your network, deliberately mounting mini-attacks and tripping minor alarms simply to see how your defences are organised.

Know your enemy

Well, if the crooks can do the whole “know your enemy” thing, then so can you!

So we’d like to invite you to join Sophos Evolve, a free online event that is taking place on Tuesday 2020-11-17 (that’s tomorrow) and Wednesday 2020-11-18.

You’ll hear talks from industry experts and Sophos insiders about threat intelligence, hacker techniques, cybersecurity solutions, and more.

You’ll not only learn about Synchronized Security, Sophos Central, Intercept X with EDR, XG Firewall, Managed Threat Response, Mobile Security…

…but also be able to watch live hacking demos from industry experts from inside and outside Sophos.

View the talks and pick the ones you’d like to see:

If you’re in the APJ region, you can join us next week (2020-11-24 and 2020-11-25) at times that may suit you better:

Please join us if you can.

In this episode: When payments go astray, why “just in case” cybersecurity warnings do more harm than good, how to shop safely on Black Friday and beyond, and (oh no!) what to do when all your emails disappear.

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

To register for the Sophos Evolve event: https://sophos.com/evolve

Intro and outro music: Edith Mudge.

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.