Elden Ring publisher hit by ransomware attack

The BlackCat ransomware group, also known as ALPHV, claims to have breached the systems of Namco Bandai, the Japanese video game publisher behind AAA titles such as Elden Ring and Dark Souls

The news was also first broken by Vx-underground, and later reported by two malware-watching groups. BlackCat is one of the world’s most popular ransomware strains, even grabbing the attention of the Federal Breau of Investigation (FBI). 

However Namco Bandai is currently keeping silent on the matter, making it hard to confirm the authenticity of these claims. 

At the FBI’s crosshairs

In April 2022, the FBI issued a warning that BlackCat’s “virulent new ransomware” strain infected at least 60 different organizations in two months’ time. Back then, the FBI described BlackCat as “ransomware-as-a-service”, and said its malware was written in Rust.

While most ransomware strains get written in either C, or C++, the FBI argues that Rust is a “more secure programming language that offers improved performance and reliable concurrent processing.”

BlackCat usually demands payment in Bitcoin and Monero in exchange for the decryption key, and although the demands are usually “in the millions”, has often accepted payments below the initial demand, the FBI says.

Allegedly, the group is strongly tied to Darkside and has “extensive networks and experience” in operating malware and ransomware attacks. 

After achieving initial access to the target endpoints, the group will proceed to compromise Active Directory user and admin accounts and use the Windows Task Scheduler to configure malicious Group Policy Objects (GPOs), to deploy the ransomware.

Initial deployment uses PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network.

After downloading and locking down as much data as possible, the group will seek to deploy ransomware onto additional hosts.

The FBI recommends reviewing domain controllers, servers, workstations, and active directories for new or unrecognized user accounts; regularly backing up data, reviewing Task Scheduler for unrecognized scheduled tasks, and requiring admin credentials for any software installation processes, as mitigation measures. 

BlackCat has also recently joined Conti’s decentralized network of threat actors, and has successfully breached Microsoft Exchange servers, on a number of occasions, to deploy ransomware.

Via: PCGamer