Incidents & Vulnerabilities
Capcom Ransomware (2020) — Why an Old VPN Device Was the Way In, and the Double-Extortion Defense
In 2020, Capcom was hit by ransomware: up to ~390,000 people's data was potentially exposed and systems encrypted. The way in was an old backup VPN device left running at a North American subsidiary; the attack was double extortion — steal, then encrypt. Defend by decommissioning unused gear and patching edge devices.
We read real, public breaches not as replayed news but as "how do you defend against this?" This article is based on the public record (company statements, reputable reporting). Sources are listed at the end, and no attack how-to is included.
- Target
- Capcom Group internal systems and personal data of customers, partners and employees (operator: Capcom Co., Ltd.)
- Detected
- 2 November 2020 (system trouble noticed and disclosed)
- Pattern
- Entry via an old backup VPN device at a North American subsidiary → data theft → encryption with ransomware (double extortion)
- Scale
- Up to ~390,000 people's personal data potentially exposed (confirmed theft was a subset; no credit-card data)
- Root cause
- An old VPN device left running (attack surface) + insufficient edge-device defense + weak controls to stop lateral movement and exfiltration internally
- Real fix
- Decommission unused gear / asset inventory; patch VPN/edge devices + MFA; segmentation, least privilege, bulk-exfiltration detection; backups and recovery drills
What happened (in plain terms)
Ransomware encrypts an organization's files and demands "pay to get them back." In recent years attackers add a twist — steal the data first and threaten to publish it unless paid: double extortion.
At Capcom, the way in was an old backup VPN device left running at a North American subsidiary. After newer devices replaced it, the old one kept running as an emergency backup for connectivity problems. Even if you think it's unused, if it's powered on it's a doorway an attacker can see. From there they entered the internal network, stole data, and then encrypted systems. Capcom refused the ransom demand (working with law enforcement), restored from backup, and disclosed its findings transparently across several updates. More than the intrusion itself, one forgotten device and an internal path to steal data widened the damage.
The device you 'don't use anymore' is the most dangerous
Attackers love assets that have fallen out of anyone's line of sight. A device replaced by a newer model but left running, a departed employee's account, a test server stood up and forgotten — each is "no longer used," so its patching and monitoring tend to stop, yet it's still reachable from the network. If you don't use it, turn it off / remove it. If you keep it, keep it current and monitored. The middle ground — neglect — is the worst.
The attack chain is also a defense map
This was a chain with a place to stop it at every step. Read it as where it could have been broken, not as a how-to.
1. An old backup VPN device was left running
Kept as an emergency backup after newer units arrived — still attack surface.
Stop: decommission unused gear; asset inventory; minimize the attack surface
2. That device was used to enter the network
An edge device became the path inside.
Stop: patch VPN/edge devices; multi-factor authentication; keep them current
3. Data stolen, then encrypted (double extortion)
A large amount of data was taken before encryption.
Stop: segmentation; least privilege; EDR; detect bulk exfiltration
4. Ransom demand and leak threat
Pay, or the stolen data gets published.
Stop: recover from backup; a no-pay policy; law-enforcement liaison; transparent disclosure
Published timeline
2020-10
Unauthorized access to the internal network occurs via an old backup VPN device at a North American subsidiary.2020-11-01
Late at night, some devices in Japan and North America are encrypted by ransomware (Ragnar Locker).2020-11-02
System trouble is noticed and disclosed; some systems are halted to investigate the scope.2020-11
Attackers leak some stolen data and demand a ransom worth roughly ¥1.1bn. Capcom does not engage and refuses to pay (working with law enforcement).2021-04-13
Final investigation report: up to ~390,000 people's personal data potentially exposed (no credit-card data). Preventive measures are announced.2020–2021
Systems are restored from backup; monitoring and defense-in-depth are strengthened.
The root cause wasn't "bad luck" but layers failing
Writing this off as "a sophisticated attack got them" misses the point. Intrusion can happen; what matters is whether you reduce the ways in and minimize damage once inside.
The setup that failed
- An old VPN device left running after newer units replaced it
- Insufficient patching / MFA on edge devices
- Weak controls to stop lateral movement and bulk theft
- Even with backups, exfiltration wasn't prevented
The setup that holds
- Decommission unused gear; inventory assets to shrink the attack surface
- Patch VPN/edge devices and require multi-factor authentication
- Segmentation, least privilege, EDR to stop movement and theft
- Backups + recovery drills restore availability (alongside anti-theft controls)
Being able to say 'no' came from being prepared
Capcom refused the ransom, restored from backup, and disclosed its findings transparently. It could make the right call — not paying — because it had the means to recover and the posture to disclose. Paying guarantees neither decryption nor that the leak stops, and it funds the next attack. Backups, segmentation and asset inventory done up front are what leave you options in a crisis. (Related: the unpatched-software Equifax breach.)
How you defend against this
Ransomware targets organizations of every size. In priority order:
Decommission unused devices, paths and accounts
Old gear replaced by newer models, forgotten test servers, departed employees' accounts — inventory what you 'no longer use' and turn it off / remove it. If it's running, it's attack surface. If you keep it, keep it current and monitored.
Patch edge devices and add multi-factor authentication
Patch vulnerabilities in VPN and remote-access devices and require multi-factor authentication. The edge is targeted first. Use the vulnerability-response playbook to fix thoroughly and keep monitoring.
Stop exfiltration (segmentation, least privilege, detection)
For double extortion, backups aren't enough. Segment the network, apply least privilege to stop lateral movement, and use EDR plus bulk-movement detection to prevent the theft itself.
Backups and recovery drills let you choose 'no'
Keep offline / versioned backups and rehearse recovery. With the means to recover, you can restore the business without paying. Build it into your organizational security baseline.
Where this overlaps with how this site is built
At its core, this incident left an asset it supposedly "no longer used" (an old VPN device) running, and allowed internal exfiltration. That is the mirror image of this site's own principles — minimize the attack surface, shrink the blast radius, and defend in layers. A neglected old device is the same management blind spot as a secret in a public directory or a dormant account. "If you don't use it, turn it off; patch the edge; defend against both theft and encryption" is a defense anyone can implement at any scale.
Sources (public record)
The facts here are based on the following public information. No attack how-to is included — only the defensive lessons.
- Capcom Co., Ltd. official statements (reports and updates on the data security incident due to unauthorized access, 2020–2021) — capcom.co.jp
- Contemporary reporting (entry via an old VPN device, double extortion, ransom demand and refusal, 2020–2021), based on the primary disclosures
Read next
- Glossary: what ransomware is (how it works, and defending to say "no") / what EDR is (detecting endpoint anomalies)
- Practice: the vulnerability (CVE) response playbook (fix edge devices thoroughly and monitor) / the organizational security baseline
- Case: the Equifax breach (2017) (a mass leak caused by unpatched software)
FAQ
QWhat was the way into the Capcom breach?
An old backup VPN device left running at a North American subsidiary. After newer units replaced it, the old device kept running as an emergency backup. Attackers used it as a foothold into the internal network. Even gear you think you've stopped using is part of your attack surface if it's still powered on and reachable.
QWhat is 'double extortion,' and why aren't backups enough?
Beyond encrypting data for ransom, attackers first <strong>steal the data and threaten to publish it unless you pay.</strong> Backups let you recover from the encryption (restore availability), but <strong>they can't undo the theft.</strong> So you need not just anti-encryption measures (backups) but measures that <strong>prevent exfiltration in the first place</strong> — segmentation, least privilege, and detection of bulk data movement.
QCan a smaller org learn from this?
Yes: (1) inventory and decommission unused devices, accounts and paths (leaving them makes them targets); (2) patch VPN/edge devices and add multi-factor authentication; (3) keep backups and rehearse recovery; (4) segment internally and use least privilege to stop exfiltration. Even at a small scale, a neglected old device and a flat network carry the same danger.