Elden Ring game on smartphone showing ransomware attack

Game Publisher Bandai Namco Confirms a Suspected BlackCat Ransomware Attack

Game publisher Bandai Namco suffered a suspected ransomware attack, possibly leaking customer data, the company admitted.

According to the company’s statement, the hackers breached Bandai Namco’s internal systems in Asia, excluding Japan.

Bandai Namco did not disclose the hacking group’s identity, but VX-underground suggested that the BlackCat/ALPHV ransomware gang was responsible for the attack.

The Japanese game publisher boasts of popular series including Ace Combat, Dark Souls, Elden Ring, Gundam, Pac-Man, Soulcalibur, and Tekken, among others.

Customer data leaked in the Bandai Namco ransomware attack

Bandai Namco confirmed the cyber intrusion on July 3, 2022 and took measures to block access and prevent the ransomware from spreading.

However, the company anticipates “that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs” compromised in the ransomware attack.

Subsequently, the game publisher commenced an investigation aimed at “identifying the status about existence of leakage, scope of the damage.”

In addition, Bandai Namco promised to continue to investigate the source of the ransomware attack, disclose the investigation results, work with external organizations to strengthen security throughout the company, and “take measures to prevent recurrence.”

“We offer our sincerest apologies to everyone involved for any complications or concerns caused by this incident,” Bandai Namco apologized.

The publisher did not disclose the nature of information potentially stolen from its servers during the ransomware attack.

However, the heist likely compromised employee, user, and business operations data, not game source code. Hackers could use personally identifiable information potentially leaked for social engineering attacks.

According to screenshots shared by VX-underground, the ransomware group was preparing to leak Bandai Namco’s data and had tagged the company under “data soon.”

“The company’s confirmation that systems were accessed through a third-party entity of theirs (a subsidiary under the Holdings group) paints a clear example that there must be better management of these types of entities in regard to an organization’s greater security framework,” Demi Ben-Ari, CTO, Co-Founder and Head of Security for Panorays, said.

Ben-Ari added that companies should vet their subsidiaries like ordinary and external third parties.

“Just as if they were a ‘regular 3rd party,’ these entities must be assessed with the same cyber risk framework as the parent organization. Basic steps can be taken such as improving overall cyber hygiene across the organization, as well as continuous monitoring and engagement with these types of third parties.”

Lisa Plaggemeier, Interim Executive Director of the National Cybersecurity Alliance (NCA), agreed that the Bandai Namco ransomware attack called for better “third party risk management measures.”

She suggested multi-factor authentication (MFA) and proper privilege and identity access management (PAM/IAM).

“DarkSide used the same methods in the Colonial Pipeline attack, which spotlights how vulnerable third-party partner ecosystems can be.”

The most notorious ransomware gang strikes again

Launched in November 2021, BlackCat/ALPHV is the successor of the DarkSide/Blackmatter gang responsible for the Colonial Pipeline ransomware attack. The attack prompted renewed law enforcement’s action against ransomware attacks.

Gaming companies have frequently become targets of cyber attacks. In 2020, Resident Evil creator Capcom disclosed that it suffered a similar cyber attack. And in 2021, CD Projekt Red experienced a cybersecurity incident that leaked the source code of Cyberpunk 2077 and Witcher 3. NVIDIA, Electronic Arts, and Ubisoft also suffered cyber attacks attributed to the Lapsus$ group in 2021. None of the companies paid the ransom forcing the hackers to publish the data.

BlackCat has also claimed responsibility for HydraElectric and Royal Commission for Riyadh City data leaks. Other BlackCat ransomware victims include Moncler and Swissport.

In April 2022, the FBI warned that the BlackCat ransomware gang had breached at least 60 entities worldwide. The federal law enforcement agency also noted that the group was the first to develop ransomware using the high-secure and robust Rust programming language.

Like its successor, BlackCat operates on the ransomware-as-a-service model and uses double extortion tactics.

“The alleged ransomware attack on video game creator Bandai Namco by ALPHV/BlackCat is a stark reminder of the ongoing importance of an effective ransomware detection and recovery program,” Neil Jones, director of cybersecurity evangelism at Egnyte, said.

“Here, we see two new and potentially disturbing trends: the emergence of a white-glove Ransomware as a Service (RaaS) offering and the publication of victims’ information on the clear Web, which permits the information to be indexed by search engines and viewed by the general public.”