How a Resident Evil image leaked in a ransomware attack ended up in the middle of $12m copyright claim

Back in November, gaming giant Capcom suffered a ransomware attack. In its press notification, it mentioned the various types of data potentially grabbed by their attackers. Things took an ominous turn when they refused to pay the ransom, and the group behind the attack said that was the wrong move. Capcom had the chance to “save data from leakage”; they did not take it. Sure enough, a whole collection of files were leaked soon after.

The threat of data drops from scorned ransomware groups is now a common extortion tactic. What we couldn’t have predicted here, is one of the ramifications of said drop. Time to wind things forward to June 2021 and a date with a lawsuit. The twist? The lawsuit isn’t aimed at the ransomware authors, but the compromised company.

Of data drops and research collections

I used to work in and around game / movie development a long time ago. We were incredibly low budget, and did very low budget things. An invaluable source of help at the time were resource guides and collections. Essentially: Big books filled with work compiled by visual artists, composers, designers, whoever. If you were lucky, the book came with a CD loaded with material from the book. Even luckier? You could use the contents for your own work for free. If the project was commercial, you’d typically pay a license fee of some kind.

There were also companies which curated content from multiple artists, and made sure all the licensing behind the scenes was watertight. Where this often went wrong was if the disc went walkabout away from the book.

Organisations would end up with discs lying around in desks, with nobody sure of the source / who had paid for licensing. If someone ripped disc contents, you’d then end up with self-burnt CDs lying around the place which appeared to be in-house creations. You have to be incredibly careful where resource materials are concerned.

If you’re wondering how this ties into the ransomware attack, I’m about to fill in the blanks.

The unintended consequence of a data leak

An artist in this case is seeking $12m in damages from Capcom, claiming Capcom used their imagery from a resource book / CD in a number of its video game titles. This has all come about off the back of the data leak from the ransomware hack. At least one of the images from the stolen and leaked files shares the same file name as what appears to be an identical image from the book’s CD-ROM.

The Juracek Vs Capcom document can be seen here, along with multiple examples of images potentially making their way into games. Sadly, it doesn’t go into detail on the most fascinating part…whether or not the artist became aware as a result of the data breach and subsequent leak. Most reports simply say the artist is using the breach as part of their evidence. There’s also the question of how they became aware of the images in the dump in the first place.

If I had to guess, incredibly knowledgeable fans saw the high resolution images, wondered where they came from, and perhaps got in touch with the creator. This isn’t an unusual thing to happen. Back in the mid 90s I tracked down the music composer for a AAA game series on Japanese language message boards, in order to tell them how cool their music is. It’s a lot easier to do things like this these days which may be a blessing or a curse, or perhaps a bit of both.

However you stack it up, it promises to be a fascinating day in court. This story raises some other issues, too.

Turning a negative into a positive

Some ransomware groups have tried to mix it up a bit in the realm of PR. They present themselves as Robin Hood style renegades, robbing the rich to give to the poor…or, more specifically, giving to charities. An interesting tactic, except charities face all sorts of problems if they’re gifted ill-gotten gains. As mentioned elsewhere, there’s every possibility the “we’re being helpful, honest” approach is merely a ruse to keep up the pretence of respectability. Here, though, we run into a bit of a problem.

The artist in question has made what they feel to be a valid complaint, and are having their day in court as a result. Being able to tie specific file names from their CD-ROM to named files in Capcom folders off the back of the hack? That probably strengthens their case quite a bit.

Put simply, these ransomware authors…and anyone else, for that matter…can now point to this story as evidence that they did in fact “help” someone in indirect fashion.

New frontiers in the ransomware world

The fallout from the attack could prompt a new ransomware tactic. It’s not a stretch to think breachers will go looking for copyright / related violations. After all, some ransomware groups have already shown an interest in how they can weaponize the data they’ve stolen, beyond simply leaking it.

With so many ways to tie found materials to the original source online, they may view this as an easy PR win. On top of all the other issues with ransomware, we probably don’t need its authors yelling “Look! We’re helping!” every time a new leak hits. When a creator is potentially $12 million out of pocket, it becomes increasingly tricky to argue against it.

Sure, this is still potentially another way for people who don’t actually care about helping people to act as if they do. But if the end result is the same and someone does benefit, it doesn’t really matter a whole lot. As far as the ransomware authors are concerned, they’ll have a collection of individuals telling everyone how cool they are.

It’s to be hoped we don’t end up fighting a PR war on top of the technical battle already raging across networks everywhere. I’m not sure I agree that “any publicity is good publicity”, but good publicity certainly is. So in case anyone is tempted to offer ransomware operators the benefit of the doubt, let’s not forget they’re same organised crime gangs that think little of attacking hospitals.

The post How a Resident Evil image leaked in a ransomware attack ended up in the middle of $12m copyright claim appeared first on Malwarebytes Labs.