Cyber Incident Victim: Garena

On May 12, 2017, Garena's Blade & Soul Thailand game servers were compromised by the WannaCry ransomware (also identified as WannaCrypt, WannaCrypt0r, or WanaCrypt0r 2.0). The attack exploited vulnerabilities in outdated Windows operating systems, including Windows XP, Windows 8, and Windows Server 2003, leveraging the EternalBlue exploit linked to tools leaked from the US National Security Agency (NSA). The ransomware propagated through local area networks (LAN), encrypting critical server infrastructure and disrupting gameplay services. Garena detected the intrusion when servers became unresponsive, with the attack timeline indicating initial impact around 18:28 local time. The incident forced an immediate shutdown of affected systems to contain further spread. Forensic analysis confirmed the ransomware variant was WannaCry version 2, which incorporated worm-like capabilities to self-replicate across networked devices. Attackers demanded ransom payments to decrypt files, though specific payment demands or cryptocurrency addresses were not disclosed in available reports.

Service disruptions lasted between 4 to 9 hours, during which Garena executed a rollback of servers to a backup state from approximately 10 hours prior to the attack. This restoration process required 40 minutes to complete but carried an estimated 50% risk of partial data loss for player accounts. The company issued public warnings advising players to avoid launching the game client and to update their operating systems to mitigate infection risks. The attack highlighted systemic vulnerabilities in maintaining legacy Windows environments, particularly unpatched servers exposed to EternalBlue exploits. No player data breaches were confirmed, though the encryption of server-side systems temporarily halted all gameplay and transactional functions. Garena’s incident response focused on infrastructure recovery rather than ransom negotiation, with services fully restored following the rollback operation.