Incident: Capcom Ransomware Attack: Data Breach and Encryption Incident

Published Date: 2020-11-16

Postmortem Analysis
Timeline 1. The software failure incident at Capcom happened on November 2, as mentioned in the article [107594].
System 1. Capcom's servers [107594]
Responsible Organization 1. The Ragnar Locker hacker group was responsible for causing the software failure incident at Capcom [107594].
Impacted Organization 1. Customers 2. Business partners 3. Employees 4. Current or former employees 5. Japanese customer support 6. American Capcom store or e-sports operation 7. Gamers [Cited from Article 107594]
Software Causes 1. Ransomware attack compromising Capcom's servers, digitally scrambling data, and destroying files [107594]
Non-software Causes 1. Ransomware attack by the Ragnar Locker hacker group [107594]
Impacts 1. Personal information of up to 350,000 people, including customers, business partners, and employees, was potentially compromised [107594]. 2. Some of Capcom's own financial information was stolen during the ransomware attack [107594]. 3. The attackers digitally scrambled data on Capcom's servers, making it impossible to view or amend, and destroyed some files outright [107594]. 4. Capcom confirmed that only nine people's personal information was definitely compromised, all current or former employees [107594]. 5. Sensitive data has already surfaced online, affecting the firm's reputation [107594]. 6. Capcom's own logs were lost as a result of the attack, making it difficult to determine the full extent of the data breach [107594].
Preventions 1. Implementing robust cybersecurity measures such as regular security audits, penetration testing, and network monitoring to detect and prevent potential vulnerabilities that could be exploited by hackers [107594]. 2. Providing cybersecurity training to employees to raise awareness about phishing attacks, social engineering tactics, and other common methods used by cybercriminals to gain unauthorized access to systems [107594]. 3. Utilizing multi-factor authentication for accessing sensitive data and systems to add an extra layer of security and prevent unauthorized access even if login credentials are compromised [107594]. 4. Regularly backing up data and maintaining offline backups to ensure that critical information can be restored in case of a ransomware attack or data loss incident [107594].
Fixes 1. Enhancing cybersecurity measures to prevent future ransomware attacks and unauthorized access to sensitive data [107594]. 2. Implementing regular security audits and updates to identify and patch vulnerabilities in the system [107594]. 3. Conducting thorough investigations to understand the root cause of the attack and strengthen the overall security posture of the organization [107594].
References 1. Capcom's official statement [107594] 2. Information from the ransomware attackers, Ragnar Locker [107594] 3. Law enforcement sources [107594]

Software Taxonomy of Faults

Category Option Rationale
Recurring multiple_organization (a) The software failure incident having happened again at one_organization: - The article does not mention any previous incidents of a similar nature happening again within Capcom or with its products and services. Therefore, there is no indication of a similar incident occurring again at Capcom specifically [107594]. (b) The software failure incident having happened again at multiple_organization: - The article mentions that ransomware attacks, similar to the one experienced by Capcom, have been a widespread issue affecting various companies. It highlights that ransomware victims have been urged not to pay hackers, as these groups have made millions from companies. This suggests that similar incidents have occurred at multiple organizations facing ransomware attacks [107594].
Phase (Design/Operation) design, operation (a) The software failure incident in this case can be attributed to the design phase. The ransomware attack on Capcom's servers resulted in the encryption of data, making it impossible to view or amend, and some files were destroyed outright. This attack was a result of malicious software that threatened to block access to records unless a ransom was paid, indicating a vulnerability in the system's design that allowed unauthorized access and manipulation of data [107594]. (b) Additionally, the software failure incident can also be linked to the operation phase. The attack compromised personal information of up to 350,000 people, including customers, business partners, and employees. The incident affected the operation of Capcom's systems and services, leading to potential data breaches and loss of sensitive information. The company had to reassure gamers that it was safe to continue playing online and using their websites, indicating operational disruptions caused by the cyber-attack [107594].
Boundary (Internal/External) within_system, outside_system The software failure incident reported in Article 107594 can be categorized as both within_system and outside_system: (a) within_system: The failure within the system is evident from the ransomware attack that compromised Capcom's servers, leading to the encryption of data and destruction of files within the company's internal systems. The attackers digitally scrambled the data on Capcom's servers, making it impossible to view or amend, and some files were destroyed outright [107594]. (b) outside_system: The failure originating from outside the system is highlighted by the ransomware attack itself, which was carried out by the Ragnar Locker hacker group. This external threat actor demanded payment to undo the encryption involved in the attack, indicating that the attack originated from outside the company's internal systems [107594].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case was due to non-human actions, specifically a ransomware attack. The attack involved the use of malicious software that digitally scrambled data on Capcom's servers, making it impossible to view or amend, and even destroying some files outright. The Ragnar Locker hacker group demanded payment to undo the encryption involved in the attack [107594]. (b) Human actions were also involved in this incident as the hackers behind the ransomware attack were individuals from the Ragnar Locker hacker group. These individuals demanded payment from Capcom to undo the encryption and threatened to block access to the compromised data unless their extortion demand was met. However, Capcom chose not to pay the cyber-criminals' demand, which is seen as the right decision by many, including law enforcement [107594].
Dimension (Hardware/Software) software (a) The software failure incident in the article was not attributed to hardware issues. Instead, it was a ransomware attack on Capcom's servers, indicating a failure originating in software [107594].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case was malicious. It was a ransomware attack on Capcom's servers, where attackers digitally scrambled data, making it impossible to view or amend, and even destroyed some files outright. The Ragnar Locker hacker group demanded payment to undo the encryption involved, indicating malicious intent to harm the system [107594].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident: - The software failure incident involving Capcom being hit by a ransomware attack was likely due to poor decisions made by the hackers behind the attack. The Ragnar Locker hacker group demanded payment to undo the encryption they had imposed on Capcom's servers, indicating their malicious intent to extort money from the company [107594]. - Despite the attackers' demands, Capcom chose not to pay the cyber-criminals' extortion demand, which is seen as the right decision by many, including law enforcement. This decision to not give in to the hackers' demands suggests a stance against supporting criminal activities and not rewarding such behavior [107594].
Capability (Incompetence/Accidental) accidental (a) The software failure incident reported in the article is not attributed to development incompetence. The incident was a result of a ransomware attack on Capcom's servers by the Ragnar Locker hacker group, where they digitally scrambled data and demanded payment to undo the encryption involved [107594]. (b) The software failure incident can be categorized as accidental. The ransomware attack on Capcom's servers, resulting in the compromise of personal information of up to 350,000 people, was not intentional on the part of Capcom. It was an external attack by cyber-criminals who demanded payment to undo the encryption they had implemented [107594].
Duration temporary The software failure incident reported in Article 107594 was temporary. The incident involved a ransomware attack on Capcom's servers, where the attackers digitally scrambled some data, making it impossible to view or amend, and destroyed some files outright. The Ragnar Locker hacker group demanded payment to undo the encryption involved. Capcom confirmed the attack on November 2nd and took steps to address the situation, including not yielding to the cyber-criminals' extortion demand. The incident was not permanent as Capcom actively worked to mitigate the effects of the attack and prevent further damage [107594].
Behaviour crash, other (a) crash: The software failure incident in the article can be categorized as a crash. The ransomware attack on Capcom's servers resulted in the system losing state and being unable to view or amend some data, with some files being destroyed outright [107594]. (b) omission: The incident does not specifically mention a failure due to the system omitting to perform its intended functions at an instance(s). (c) timing: The incident does not specifically mention a failure due to the system performing its intended functions correctly, but too late or too early. (d) value: The incident does not specifically mention a failure due to the system performing its intended functions incorrectly. (e) byzantine: The incident does not specifically mention a failure due to the system behaving erroneously with inconsistent responses and interactions. (f) other: The other behavior observed in this software failure incident is the system being digitally scrambled by the attackers, making it impossible to view or amend some data on Capcom's servers, which is not a typical crash but a deliberate action by the attackers [107594].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident at Capcom resulted in the compromise of personal information of up to 350,000 individuals, including customers, business partners, and employees [107594]. The attackers were able to access and steal data such as names, addresses, birthdays, phone numbers, and email addresses. Additionally, some of Capcom's financial information was also stolen during the ransomware attack. The company confirmed that the attackers digitally scrambled some of the data on their servers, making it impossible to view or amend, and even destroyed some files outright. This incident led to potential risks for the affected individuals due to the exposure of their personal information.
Domain entertainment (a) The failed system in this incident was related to the entertainment industry. Capcom, the video game maker affected by the ransomware attack, is best known for franchises such as Resident Evil, Street Fighter, and Monster Hunter, which are all popular video game series under the entertainment industry [107594].

Sources

Back to List