Capcom hit by ransomware attack, is reportedly being extorted for $11 million

[erek]

“According to malware researcher Pancak3, the hackers are demanding $11 milllion in bitcoin for a decryptor key. Such a sum roughly equates to another big Ragnar Locker hack announced yesterday, of the drinks maker Campari, where as ZDNet reports the demand is around $15 million.

The independent MalwareHunterTeam also confirmed that Ragnar Locker is behind the Capcom hack, while adding that both hacks had the same digital signature.”

https://www.pcgamer.com/capcom-hit-...eportedly-being-extorted-for-pound11-million/

 

[Zarathustra[H]]

I've obviously never fought a massive corporate ransonware attack, but if they have snapshots and backups (which every company should have) they shouldn't need to be worried, right?

Just wipe, restore from backup, take the few days of downtime as a learning experience, and carry on?

 

[Hakaba]

I've obviouslt never fought a massive corporate ransonware attack, but if they have snapshots and backups (which every company shoukd have) they shouldn't need to be worried, right?

Just wipe, restore from backup, take the few days of downtime as a learning experience, and carry on?

Should being the key word. Additionally, core services and storage (depending on its importance of data) shouldn’t even be on the same network that has access to dirty internet.

 

[Okatis]

I've obviously never fought a massive corporate ransonware attack, but if they have snapshots and backups (which every company should have) they shouldn't need to be worried, right?

Just wipe, restore from backup, take the few days of downtime as a learning experience, and carry on?

The key difference to most past ransomware (and a new trend in ransomware since it provides more incentive for victims) is they're threatening to sell the data unless Capcom pay. Probably something worth adding as a quote to the OP imo.

 

[Deleted member 89018]

Yeah, it’s more “your Bitcoin or your source code on the internet” kind of thing now. There’s ransomware and then there’s extortionware, and Ragnar is the latter.

companies can safely assume they will be attacked, but air-gapped networks are an inconvenience to users, at best, or completely impractical given the pandemic.

A tiered account system, MFA and proper “least privileged” permissions models can help prevent a ransomware attack, but if your end users are developers with a cached copy of a git repo and it’s their system that gets popped, it doesn’t matter anyways.

I also want to point out, as someone with 15 years of experience in the industry in multiple roles: good endpoint protection software is a no-brainer, right? Except it costs money and no one wants to spend it because

“the firewall already protects us”

“didn’t we buy AV like ten years ago (and stopped paying the subscription to save money)?”

“we use complicated passwords!”

etc, etc.

in my experience, convincing executives to get an advanced endpoint protection suite for an organization is an uphill battle, until there’s an attack. Then it’s “why didn’t our systems catch this? What do you mean we weren’t protected? Buy something to fix it!”

 

[TheToE!]

Yeah, it’s more “your Bitcoin or your source code on the internet” kind of thing now. There’s ransomware and then there’s extortionware, and Ragnar is the latter.

companies can safely assume they will be attacked, but air-gapped networks are an inconvenience to users, at best, or completely impractical given the pandemic.

A tiered account system, MFA and proper “least privileged” permissions models can help prevent a ransomware attack, but if your end users are developers with a cached copy of a git repo and it’s their system that gets popped, it doesn’t matter anyways.

I also want to point out, as someone with 15 years of experience in the industry in multiple roles: good endpoint protection software is a no-brainer, right? Except it costs money and no one wants to spend it because

“the firewall already protects us”

“didn’t we buy AV like ten years ago (and stopped paying the subscription to save money)?”

“we use complicated passwords!”

etc, etc.

in my experience, convincing executives to get an advanced endpoint protection suite for an organization is an uphill battle, until there’s an attack. Then it’s “why didn’t our systems catch this? What do you mean we weren’t protected? Buy something to fix it!”

Yep. I run an MSP and i'd say roughly 4 out of 10 new clients I meet all have poverty level security measures in place, if any at all. RDP open to the net over default ports, weak passwords with no complexity req's, no account lockouts configured, "free" anti-virus that hasn't seen updates in years, no one auditing event logs, etc. Hell just yesterday I saw a new medical client with a windows XP computer connected to the internet being used...

 

[4saken]

I work in the enterprise/global space of storage/cloud sales, engineering side. It is staggering how many massive entities don't have snapshots for instant recovery. So many still use streaming backups, eg commvault, and can take days and days to recover anything.

 

[GiGaBiTe]

The key difference to most past ransomware (and a new trend in ransomware since it provides more incentive for victims) is they're threatening to sell the data unless Capcom pay. Probably something worth adding as a quote to the OP imo.

From past experiences with situations like this, they'll sell the data regardless; Or since they've probably compromised systems within Capcom, extort them again for more money.

There's an oil company here in south Texas that had its well head control boards hacked and they were extorted with the promise from the hackers that they'd relinquish control once they were paid. The oil company paid and the hackers relinquished control, only to hack it again within days and extort the oil company again for more money.

 

[socK]

I've obviously never fought a massive corporate ransonware attack, but if they have snapshots and backups (which every company should have) they shouldn't need to be worried, right?

Just wipe, restore from backup, take the few days of downtime as a learning experience, and carry on?

Whether they had backups is the big if.

Whether they had working backups is an even bigger if. It's unfortunately common for places to have something set up... then never actually test that they can do a working restore.

 

[Zarathustra[H]]

Whether they had backups is the big if.

Whether they had working backups is an even bigger if. It's unfortunately common for places to have something set up... then never actually test that they can do a working restore.

Jeez...

 

[chameleoneel]

Taco wonder if development of new metal gear is part of negotiation demands.

I want a Shagohod, personally!

 

[noko]

One would think the source code would be encrypted besides other files. Also dummy files with complete garbage on them to make navigating and finding pertinent data next to impossible. This is a big deal, every time a company complies, just entices future hacks at ever increasing rates.

 

[AlphaQup]

I work in the enterprise/global space of storage/cloud sales, engineering side. It is staggering how many massive entities don't have snapshots for instant recovery. So many still use streaming backups, eg commvault, and can take days and days to recover anything.

It's funny you mentioned CV, that is the first time I've heard anyone use mention that outside of work (I don't work server-side really, I'm security and client-side, but I try to gleam what I can).

We're in the process now of moving away from CV, as well as phasing out Deruva on the server side. CV works well enough for end user backups, same as Deruva, but agreed, certainly not ideal for servers when you have a snapshot alternative available.

 

[UnknownSouljer]

Taco wonder if development of new metal gear is part of negotiation demands.

Metal Gear is Konami not Capcom.
Konami is far worse than Capcom in terms of cancelling high profile and fan loved properties as well as plundering golden gooses.

 

[4saken]

It's funny you mentioned CV, that is the first time I've heard anyone use mention thst outside of work (I don't work server-side really, I'm security and client-side, but I try to gleam what I can).

We're in the process now of moving away from CV, as well as phasing out Deruva on the server side. CV works well enough for end user backups, same as Deruva, but agreed, certainly not ideal for servers when you have a snapshot alternative available.

right. we've been inundated with calls for meetings around auditing that snapshots are on volumes that need to be protected, along with long term snapshot retention, enabling WORM on critical volumes that require certain retention periods, as well as ransomware detection and automagically locking users/volumes when irregular activity, or known extensions pop up. All of the the past 2 weeks. Seems some are finally waking up to their vulnerabilities.

 

[vegeta535]

Metal Gear is Konami not Capcom.
Konami is far worse than Capcom in terms of cancelling high profile and fan loved properties as well as plundering golden gooses.

Honestly Konami not even plundering. They just not doing anything with their properties. Other then cheap releases of old games and pachinko machines.

 

[rinaldo00]

Yeah, it’s more “your Bitcoin or your source code on the internet” kind of thing now. There’s ransomware and then there’s extortionware, and Ragnar is the latter.

companies can safely assume they will be attacked, but air-gapped networks are an inconvenience to users, at best, or completely impractical given the pandemic.

A tiered account system, MFA and proper “least privileged” permissions models can help prevent a ransomware attack, but if your end users are developers with a cached copy of a git repo and it’s their system that gets popped, it doesn’t matter anyways.

I also want to point out, as someone with 15 years of experience in the industry in multiple roles: good endpoint protection software is a no-brainer, right? Except it costs money and no one wants to spend it because

“the firewall already protects us”

“didn’t we buy AV like ten years ago (and stopped paying the subscription to save money)?”

“we use complicated passwords!”

etc, etc.

in my experience, convincing executives to get an advanced endpoint protection suite for an organization is an uphill battle, until there’s an attack. Then it’s “why didn’t our systems catch this? What do you mean we weren’t protected? Buy something to fix it!”

Wow, I always suspected naive/clueless bean counters were behind a lot of this but I am still surprised to see it confirmed.

 

[rinaldo00]

Yep. I run an MSP and i'd say roughly 4 out of 10 new clients I meet all have poverty level security measures in place, if any at all. RDP open to the net over default ports, weak passwords

Come on, 12345678 is an EIGHT DIGIT password!

 

[UnknownSouljer]

Honestly Konami not even plundering. They just not doing anything with their properties. Other then cheap releases of old games and pachinko machines.

They cancelled Silent Hills and then also made Metal Gear Survive a micro-transactions riddled half-game made on the Fox engine using recycled assets after firing Hideo Kojima.

There is no love lost from them.

 

[vegeta535]

They cancelled Silent Hills and then also made Metal Gear Survive a micro-transactions riddled half-game made on the Fox engine using recycled assets after firing Hideo Kojima.

There is no love lost from them.

That was like 5 years ago. They have t done anything since.

 

[Comixbooks]

Kung Lao's hat isn't worth that much.

 

[leonemesisbra]

If the hacker releases their data into the wild, maybe Megaman Legends 3 will finally see the light of the day...

Joking aside, you´d think such a big and longstanding company like Capcom would be prepared for this kind of attack, insane.

 

[Trepidati0n]

Considering what happened to Garmin...I am not surprised this happened again. Considering when a warning shot like that gets fired, I thought most bigger entitles would have gotten their crap together but said "nay". Long live greed.

 

[1_rick]

Considering what happened to Garmin...I am not surprised this happened again. Considering when a warning shot like that gets fired, I thought most bigger entitles would have gotten their crap together but said "nay". Long live greed.

All it takes is one employee clicking on a link in a phishing email that the AV server hasn't identified as a threat because it's a new attack vector. (Sometimes no amount of training seems to work, either; back in the I.LOVE.YOU days I was working for a company that had offices all over North and South America and for weeks even after they updated the AV to delete that virus' attachments, we were seeing company-wide emails from people in a couple of SA offices. Doesn't matter how many times they were told, they kept clicking. Only solution would be to fire half the employees in the office.)

 

[blackmomba]

No a better solution is to train your employees on how to recognize phishing emails with campaigns and regular spot checking. Where I am we've been receiving test phishing emails once every 5-6 weeks just to keep us on our toes. If you're fooled and click one, you're redirected to a static html page that basically shames you to the point that you'd rather die than click another link in any email ever. Success rates in this test have shot up from low 30% to 80%+ and it translates over into real world. 20k employees.

 

[Digital Viper-X-]

I've obviously never fought a massive corporate ransonware attack, but if they have snapshots and backups (which every company should have) they shouldn't need to be worried, right?

Just wipe, restore from backup, take the few days of downtime as a learning experience, and carry on?

Well, it would really depend on how sophisticated the attack is. For example, maybe the virus had been lying dormant for months, meaning backups are also infected, and losing months' worth of work to go back far enough (if they have backups that go that far) is just not feasible.

 

[Lakados]

Ransom ware attacks scare me, I think I’m prepared, I think my security is good and I’m pretty sure my backups are sufficient. Which usually means I’m not, it isn’t and they aren’t.

 

[socK]

No a better solution is to train your employees on how to recognize phishing emails with campaigns and regular spot checking. Where I am we've been receiving test phishing emails once every 5-6 weeks just to keep us on our toes. If you're fooled and click one, you're redirected to a static html page that basically shames you to the point that you'd rather die than click another link in any email ever. Success rates in this test have shot up from low 30% to 80%+ and it translates over into real world. 20k employees.

I've been shot down multiple times trying to get better security training budgeted for users. Someone later wired multiple times that amount of money to China because of course they would.

Someone else did it again a year later.

 

[1_rick]

Why would an employee even be clicking around in emails? If it's during lunch, you have your smartphone on your mobile data. If you're handcuffed to your desk nd working, no emails. Perioda!! if violated, 6 business days in locked cubicle!

I meant work emails. Some of us have office jobs where we get emails from customers every day.

 

[Digital Viper-X-]

Plot Twist: Maybe the employee is in on it

 

[blackmomba]

I've been shot down multiple times trying to get better security training budgeted for users. Someone later wired multiple times that amount of money to China because of course they would.

Someone else did it again a year later.

I hear you, it has to matter for the organization in order to get better. If the decision makers don't care, neither will their employees

 

[scrappymouse]

.......................................

I also want to point out, as someone with 15 years of experience in the industry in multiple roles: good endpoint protection software is a no-brainer, right? Except it costs money and no one wants to spend it because

........................................

Just wanted to respond to this line, yes good endpoint protection should be a no-brainer but as usual hackers are increasingly looking at ways around even that, currently there is a trend to go below the OS level and target the firmware where most endpoint protection isn't going to help at all. Here is a interesting listen if you're so inclined. https://securityweekly.com/shows/hackers-hitting-below-the-belt-scott-scheferman-psw-671/

 

[MrGuvernment]

Ya, end point protection is seldom effective against most new strains out these days. Advances one using behavioral systems have a better chance but also these big profile hacks are often someone already in the netowrk, for days, weeks or even months, they do their work inside, get all they need to know and then unleash the infection and sit back and wait for the pay day.

 

[mischief08a]

Come on, 12345678 is an EIGHT DIGIT password!

I used to run IT for a bigger hardware store....a pretty well known one.
All the important passwords were items you'd think of...a quick example was the wifi pw was "hammer".
At least 3x a shift Id have to walk a retired guy through connecting to the wifi and spelling Hammer multiple times for him.

As things got more important...it did NOT get more difficult with the p/w

 

[scrappymouse]

Ya, end point protection is seldom effective against most new strains out these days. Advances one using behavioral systems have a better chance but also these big profile hacks are often someone already in the netowrk, for days, weeks or even months, they do their work inside, get all they need to know and then unleash the infection and sit back and wait for the pay day.

some are from people letting people in, bypassing security tools set in place to protect them. I think it was the Sony hack where their spam filter successfully caught and moved a malicious email with a spreadsheet attached that took advantage of a zero day attack. Unfortunately the executive it went to, actually removed it from the spam folder and opened it up compromising his system. It was named something like "2018 Employee restructuring plan" or something similar. Their email security appliance did it's job correctly....but couldn't protect against an untrained employee

 

[Sycraft]

I've obviously never fought a massive corporate ransonware attack, but if they have snapshots and backups (which every company should have) they shouldn't need to be worried, right?

Just wipe, restore from backup, take the few days of downtime as a learning experience, and carry on?

Ya well... Companies often cheap out on shit until a crisis happens, then they find out why you should. But plenty of places are duuuuuuumb about shit and do things like have no real backups, have people keep important data on personal laptops, etc, etc.

If you have a proper enterprise system? It isn't even days of downtime. In many cases it isn't any downtime. Our NetApp can revert to a snapshot in less time than it takes me to issue the command to do so. It just updates its pointers to which blocks are accessed. So you just locate the snapshot taken before the encryption, revert to that time, and everything continues. You don't take the shares offline or anything.

BUT to do that, you have to have a system that does that sort of thing, and you have to have it set up, and you have to pay for the license for it (in the case of NetApp, some include the feature base) and you have to have the storage space for the snapshots, and your users have to save their files on it. This costs more to do, and plenty of companies are cheapasses. So they don't, and they get fucked.

But ya, if you do it right, you don't even have to go to backup, per se (though you still have those just in case), you just bring an older copy of the files on line in realtime. I've done just that when someone got ransomware and it encrypted a critical business share. Just took their system offline, rolled the share back 4 hours, and everyone continued on with their day. The storage system paid for itself and more right then and there.

 

[Zarathustra[H]]

Ya well... Companies often cheap out on shit until a crisis happens, then they find out why you should. But plenty of places are duuuuuuumb about shit and do things like have no real backups, have people keep important data on personal laptops, etc, etc.

If you have a proper enterprise system? It isn't even days of downtime. In many cases it isn't any downtime. Our NetApp can revert to a snapshot in less time than it takes me to issue the command to do so. It just updates its pointers to which blocks are accessed. So you just locate the snapshot taken before the encryption, revert to that time, and everything continues. You don't take the shares offline or anything.

BUT to do that, you have to have a system that does that sort of thing, and you have to have it set up, and you have to pay for the license for it (in the case of NetApp, some include the feature base) and you have to have the storage space for the snapshots, and your users have to save their files on it. This costs more to do, and plenty of companies are cheapasses. So they don't, and they get fucked.

But ya, if you do it right, you don't even have to go to backup, per se (though you still have those just in case), you just bring an older copy of the files on line in realtime. I've done just that when someone got ransomware and it encrypted a critical business share. Just took their system offline, rolled the share back 4 hours, and everyone continued on with their day. The storage system paid for itself and more right then and there.

I feel like I have a better home system than many enterprise ones, and that is sad.