Capcom's VPN, the entry point for ransomware

The Japanese company Capcom is one of the best-known video game developers in the world and is known for best-selling titles including Street Fighter, Resident Evil, Monster Hunter, and Mega Man sagas.  

But last November its popularity was hit by a major incident: as explained in a statement, several of its networks were targeted by a ransomware cyberattack from the Ragnar Locker group, which blocked part of its systems. At first, the company assured that no user data had been compromised. Then, in January, it acknowledged that the data of up to 390,000 users could have been compromised, later confirming that 16,415 users had suffered data theft.  

This clearly highlighted the danger of ransomware cyberattacks, which a growing number of companies from all sectors are suffering from unfortunately.  In this case the entry vector was unusual in that the method the hackers used to gain access to the company’s systems was by infiltrating its VPN. 

Forensic analysis 

Capcom released a report on April 13 based on detailed forensic analysis that examines all stages of the incident, as well as the tactics and procedures used by the cyberattackers. According to the analysts who drew up the report, the point of origin was found in a back-up device that used an old VPN at its US subsidiary company (Capcom USA). Apparently, Capcom had already been using a newer, updated VPN regularly for some time, but kept the old one as an emergency backup in case the main ones were compromised. The hackers accessed the systems from this VPN in October and in November executed the ransomware, hitting both the company's US and Japanese offices.  

The company admitted that it had intended to implement both an EDR service and create a Security Operations Center (SOC) to monitor all its networks covering its VPNs, but at the time of the cyberattack, it hadn’t done this yet. Due to the COVID-19 pandemic, it had been forced to prioritize investment in infrastructure over cybersecurity, to support the rise of working from home among employees.  

Protection for VPNs for the MSPs  

Apart from having adequate EDR solutions  in place and setting up a SOC to monitor external connections at all times, the forensic analysis recommended that the company take other measures, including appropriate methods for managing and keeping its VPNs and homeworking environment up-to-date and secure.  

In this regard, WatchGuard’s network security solutions offer MSPs a comprehensive solution for customers. With the WatchGuard Firebox platform, customers get complete network security, visibility and threat management tools to suit any organization, regardless of budget, size or complexity.   

Moreover, WatchGuard also offers specific resources to safeguard remote work; in particular, virtual firewalls hosted in the Cloud that can help load-balance VPN traffic. This means organizations won’t have to put aside some cybersecurity elements to prioritize their homeworking infrastructure and connectivity, as happened to Capcom.