Japanese gaming giant Capcom suffered a cyberattack in early November, resulting in internal information being leaked online.
The I.T. security firm Mitsui Bussan Secure Directions told Sankei Shimbun on November 20 that the executable file linked to the virus behind the attack was thought to have included a digital signature by a company based in Moscow. The criminal group Ragnar Locker has claimed responsibility for the cyberattack, which was performed using the ransomware computer virus.
A digital signature can help viruses go undetected by antivirus software. Therefore, the signature has raised suspicions that the criminal group was involved in the attack.
It has also emerged that the virus was created so that it would not harm computers with language settings such as Russian and those of countries near Russia. The language settings suggest that the criminal organization did not want to attack computers within its own country. Such settings, combined with the presence of the digital signature, imply that people in Russia or a neighboring country were responsible.
Deception of Digital Signatures
Digital signatures make files appear more reliable, but they also enable hidden viruses to escape detection by certain types of antivirus software.
In recent years, fake digital signatures have been used to make malignant files seem safe. It is possible that the Capcom cyberattack was performed using this trick.
Under its settings, the ransomware at the heart of this cyberattack had 12 countries’ languages, including those of Russia, Ukraine, and Uzbekistan. This means that computers in Russia and neighboring countries would not be harmed.
Generally speaking, viruses that are used in cyberattacks are created such that they avoid the country where the crime group is based. Therefore, a logical conclusion concerning the Capcom attack is that the perpetrators are from Russia or nearby.
Meticulous ‘Double Extortion’
The cyberattack on Capcom was a “double extortion” attack, whereby perpetrators demand ransom money in exchange for decrypting stolen confidential information and not going public with the sensitive data. Such attacks have been fairly common overseas in recent years.
In the early hours of November 2, Capcom’s internal system was suddenly hit with connection issues, and an English message appeared on the screens of computers affected by the virus.
The threatening message, which began with the words “Hello Capcom,” stated that all of Capcom’s data had been encrypted, and that at least 1 terabyte of data had been stolen from every server across Japan, the United States, and Canada. The message continued to say that unless Capcom cooperated with the ransom demand, the stolen data would be publicized and sold to third parties.
The message came from a group known as Ragnar Locker. According to Mitsui Bussan Secure Directions, the group has been active since about May 2020, repeatedly targeting overseas firms in countries such as the U.S. and Portugal.
Ragnar Locker invades corporate networks using remotely controlled viruses. First, the group steals confidential information. Then it releases ransomware into servers before encrypting data on computers and servers. After that, the group demands a ransom in virtual currency — which is difficult to trace — in exchange for not publicizing the stolen information and for decrypting the data.
Major Japanese firms have had minimal exposure to these kinds of double extortion attacks, but several overseas cases have been confirmed since about 2019.
On November 9, Ragnar Locker demanded the ransom money on the dark web — which can only be accessed using specific software — in English. Capcom did not comply, and on November 11 Ragnar Locker uploaded onto the dark web information that were stolen from Capcom, such as company sales figures and employees’ salaries.
Capcom has consulted with Osaka Prefectural Police about the incident. In addition, a spokesperson for the gaming firm has apologized for any inconvenience caused, adding that Capcom aims to strengthen its IT management system while working with the police and specialist consultants.
Vigilance, Firm Stance Needed
The word “ransomware” is the name of a computer virus that stems from the words “ransom” and “software.” Previously, both individuals and companies used to be attacked, but recently companies have been targeted more for high amounts of ransom money.
According to the computer security firm Trend Micro, there were 61 reported attacks on companies in Japan between January and September 2020 — about 1.5 times higher than in the same period in 2019.
“With more and more people working from home, corporate networks have greater exposure to the outside world, making it even more important to strengthen security,” said a Trend Micro spokesperson.
Meanwhile, Professor Tetsutaro Uehara of Ritsumeikan University said, “It is important to have networks that can instantly detect virus attacks.”
He quickly added: “Even if you were to pay the ransom, there is no guarantee that the criminal group would delete the stolen data. It is necessary to adopt a firm stance, and to not let criminals take advantage.”
(Read the original report here in Japanese.)
Authors: Miki Kinoshita and Azusa Emori, The Sankei Shimbun