Cyberattackers demand $11M in bitcoin from Japanese gaming firm Capcom. On November 2nd, the gaming firm was hit by a cyberattack which led to the suspension of parts of its corporate network in an attempt to halt the spread of the malware.
A statement from Capcom read, “Beginning in the early morning hours of November 02, 2020 some of the Capcom Group networks experienced issues that affected access to certain systems, including email and file servers. The company has confirmed that this was due to unauthorized access carried out by a third party, and that it has halted some operations of its internal networks as of November 02.”
Since the attack, Capcom has been displaying notices on its website notifying visitors that emails and document requests will not be answered because the cyber incident affected its email systems. Although Capcom did not disclose any details about the cyber incident, security researcher Pancak3 managed to obtain a sample of the ransomware, which determined that the malware used was Ragnar Locker.
BleepingComputer ran the Ragnar Locker sample and managed to obtain a copy of the ransom note sent to Capcom during the attack. On the note, the attackers responsible for the malware claimed that they stole 1TB of unencrypted files from Capcom’s corporate networks in Japan, the US, and Canada.
To serve as proof of the data theft, the attackers attached seven print URLs to the ransom note that display screenshots of stolen files. The culprits also attached a link to the note which redirects to a private data leak page on Ragnar Locker’s website containing additional stolen documents. This includes revenue forecasts, salary spreadsheets, NDAs, immigration forms, corporate communications, and royalty reports.
Ragnar Locker claims to have encrypted 2,000 devices on Capcom’s networks. The attackers are demanding $11,000,000 in bitcoins in exchange for an offer to decrypt the company’s locked files. To facilitate negotiations, the attackers included another link on their ransom note, directing Capcom to a Tor chat page where the company can discuss with the hackers.