An investigation into the November 2020 ransomware attack on Japanese video game giant Capcom has revealed that attackers targeted an older backup VPN (Virtual Private Network) device that had been maintained at its North American subsidiary to gain initial access to the company’s network.
In November 2020, Capcom revealed it was a victim of a ransomware attack that impacted some of the company’s business operations, including email and file servers. In a series of subsequent updates, the video game maker said that the attack was carried out by the Ragnar Locker ransomware group, which destroyed and encrypted data on the game maker’s servers and that the personal data of over 16,000 people was affected in the incident. Now the company says that the incident impacted a total of 15,649 people, down to 766 people from original estimation. The company said that none of the compromised data contained financial information.
“As described in previous announcements, none of the at-risk data contains credit card information. All online transactions etc. are handled by a third-party service provider on a separate system (not involved in this attack), and as such Capcom does not maintain any such information internally,” Capcom said.
According to Capcom, the hackers gained access to its internal network in October 2020 using an outdated backup VPN device managed by Capcom U.S.A. At the time, Capcom explains, the Capcom Group, including the North American subsidiary, had already transitioned to a new model of VPN devices. However, due to the spread of COVID-19 infection in the State of California, where its subsidiary is located, the company had to keep older VPN devices as an emergency backup. The device in question has already been removed from the network.
“While the Company had existing perimeter security measures in place and, as explained below, was in the processes of adopting defensive measures such as a SOC service and EDR, the Company had been forced to prioritize infrastructure improvements necessitated by the spread of COVID-19. As a result, the use of these measures was still in the process of being verified (not yet implemented) at the time this matter took place,” Capcom said in its final update regarding the ransomware attack.
“In addition to the Company's existing perimeter security measures, following the incident, Capcom has taken a variety of measures to strengthen existing security with the aim of preventing any reoccurrence. This includes the introduction of an SOC service, which continuously monitors external connections, and EDR, which allows for early detection of unusual activity on devices.”