After days of fevered speculation, Bandai Namco, the Japan-based developer of videogames including Pac-Man, Dark Souls, Soulcaliber and Tekken, has confirmed a cyber attack against its systems did take place, although it stopped short of describing it as a ransomware attack.
Talk of an incident surfaced on Monday 11 July when VX Underground revealed via Twitter that Bandai Namco’s details had appeared on a victim leak site run by the ALPHV – also known as BlackCat – ransomware crew, along with a threat to leak its data.
ALPHV ransomware group (alternatively referred to as BlackCat ransomware group) claims to have ransomed Bandai Namco.
Bandai Namco is an international video game publisher. Bandai Namco video game franchises include Ace Combat, Dark Souls, Dragon Ball*, Soulcaliber, and more. pic.twitter.com/hxZ6N2kSxl
— vx-underground (@vxunderground)
July 11, 2022
In a statement provided to multiple outlets, the publisher said the internal systems of several group companies in Asia had indeed been accessed by a third party.
“After we confirmed the unauthorised access, we have taken measures such as blocking access to the servers to prevent the damage from spreading,” the firm said.
“In addition, there is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage, scope of the damage, and investigating the cause.
“We will continue to investigate the cause of this incident and will disclose the investigation results as appropriate. We will also work with external organisations to strengthen security throughout the group and take measures to prevent recurrence,” the spokesperson added.
“We offer our sincerest apologies to everyone involved for any complications or concerns caused by this incident.”
Commenting on the incident, Vectra EMEA CTO Steve Cottrell said: “Bandai Namco appears to be the latest in a growing line of victims of ransomware-as-a-service [RaaS] group ALPHV. The group has been upping the stakes recently, hitting businesses of all sizes worldwide and extorting victims for all they’re worth – reportedly charging up to $2.5m for ransoms, and carrying out ‘quadruple extortion’ ransomware attacks, hitting victims with data encryption, data theft, denial-of-service attacks and further harassment, all pressuring them to cough up.”
ALPHV/BlackCat has been operational since late 2021, and likely has links to the BlackMatter group and through them, possibly, Darkside and REvil. It has struck a number of high-profile victims, including Germany-based fuel distributor OilTanking and aviation services firm Swissport and, more recently, a number of universities in the US.
Jonathan Earley, a cyber threat response analyst at Dublin-based Integrity360, has dealt with multiple ALPHV intrusions in recent months.
He said it was becoming clear that as the RaaS economy becomes increasingly specialised – with some threat actors specialising in initial access, some in post-compromise activity, and some in victim monetisation, security teams’ jobs are becoming harder because it is increasingly unclear who is doing what.
Multiple ALPHV victims, he said, seem to have fallen prey to an identical initial access vector being used by different operations, like the result of active initial access brokers (IABs) selling their bridgeheads to others.
However, he told Computer Weekly in emailed comments, there are some commonalities seen across ALPHV intrusions. Most notably, said Earley, the gang often makes an immediate attempt to encrypt VMware ESXi infrastructure.
“In our experience, this can be devastating for many organisations because much of their estate is virtualised, additionally from the attacker’s perspective, encrypting one server can bring a victim organisation to its knees,” he said.
“We would recommend the following mitigations for ESXI systems: network segmentation for VMware ESXI and vCenter Server Management; use Lockdown Mode in ESXI; robust backups; enable multifactor authentication; and have centralised logging.”
Earley added: “Aside from locking down ESXi, it is imperative organisations ensure their endpoint protection capabilities and coverage can detect tools such as BloodHound AD enumeration, Cobalt Strike and lateral movement Powershell scripts such as ADRecon.
“Furthermore, on the network side, correlation rules identifying lateral movement with PsExec and traffic to sites such as MEGAsync would be considered important.”