Cyber Incident Victim: Capcom
Date:
Nov 2020
Location:
Japan
Summary
A Japanese game developer experienced a ransomware attack by the Ragnar Locker group, which compromised corporate networks across multiple countries and resulted in the theft of approximately 1TB of sensitive data, including employee records, financial documents, passports, and internal communications. The attackers encrypted 2,000 devices, demanded an $11 million ransom in bitcoin for decryption and data deletion, and disrupted operations by forcing the company to halt portions of its network, impacting email systems and internal communications. Stolen data samples were publicly displayed by the ransomware operators to substantiate their claims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 2, 2020, Capcom detected unauthorized network access disrupting email and file server operations across its corporate networks in Japan, the United States, and Canada. The company halted portions of its internal systems to contain the incident, publicly acknowledging the cyberattack while initially withholding specifics about its nature. Security researcher Pancak3 later identified the intrusion as a Ragnar Locker ransomware attack through analysis of a recovered ransom sample. The attackers claimed encryption of approximately 2,000 devices and exfiltration of 1TB of unencrypted corporate data. Capcom implemented immediate operational disruptions, posting website notices about email system unavailability and inability to process document requests. The company did not disclose initial details about data compromise or ransomware involvement beyond confirming third-party network access.
The ransomware operators provided a negotiation portal via Tor and substantiated their data theft claims through seven print.sc URLs embedded in the ransom note, displaying screenshots of stolen documents including Japanese passports, employee termination agreements, bank statements, contractor agreements, Steam sales reports, and Active Directory management consoles. A linked 24MB archive on Ragnar Locker’s leak site contained additional compromised materials such as salary spreadsheets, revenue forecasts, non-disclosure agreements, royalty reports, immigration forms, and internal communications. Attackers demanded an $11 million bitcoin ransom for decryption tools, stolen data deletion, and a network penetration report, though Capcom’s absence from the negotiation chat indicated no engagement with payment demands by the time of reporting. Operational consequences included sustained email system outages affecting external communications, with BleepingComputer’s attempted inquiries going unanswered due to these disruptions. Ragnar Locker’s history of high-impact attacks included prior incidents targeting Energias de Portugal and CMA CGM, involving multimillion-dollar ransom demands and significant operational downtime.