Capcom published a new update on the ransomware attack inflicted against its internal server in November 2020. It added more details on how the attack happened, as well as announced countermeasures taken to prevent another attack in the future.
The cyberattack route was traced back to an old VPN device that was kept for emergency backup. Although Capcom had shifted to newer VPN devices, an older unit was retained at the U.S. office in case the communications networks were to be overburdened by remote works due to the COVID-19 pandemic.
This old device turned out to be the exact entry point for the multi-faceted attack that culminated in ransomware infections on Capcom’s internal servers in both the U.S. and Japan on November 1, 2020. The device in question has since been completely disconnected and disposed of.
In addition to reviewing the VPN devices, Capcom also enacted more technical and organizational measures to prevent similar attacks in the future. This includes the EDR (Endpoint Detection and Response) and SOC (Security Operation Center) services to detect unusual activities in external connections. The company also newly established the IT Security Oversight Committee and IT Surveillance Section that gather information related to cyber-security and give frequent recommendations to improve its protection standards.
Near the end of the press release, Capcom confirmed that the cybercriminal group left a contact message on infected devices for negotiations. However, the company had no intention to negotiate with the group. Capcom also claimed that it was not aware of any ransom demands, as the message did not include such a mention. This ransomware attack resulted in a leak of information on games under development by Capcom, as well as personal data from more than 15,000 people.