Cyberpunk 2077 developer refuses to pay up after ransomware attack

CD Projekt Red, the Polish games developer behind the Cyberpunk 2077 videogame, is refusing to give in to ransom demands made by cyber criminals who have broken into and encrypted some of its systems, and claim to have exfiltrated its source code and other data.

In a statement, the firm said it discovered it had fallen victim to a “targeted” cyber attack on 8 February, in which some of its internal systems were compromised.

“An unidentified actor gained unauthorised access to our internal network, collected certain data belonging to CD Projekt capital group, and left a ransom note, the content of which we released to the public,” the firm said.

In the note – the release of which displays an unusual and refreshing openness on CD Projekt’s part – the gang behind the attack claim to have “EPICALLY pwned” the company, and to have dumped full copies of the source code for a number of the studio’s properties, including Cyberpunk 2077 and Witcher 3.

It also claims to have control of accounting, administrative, legal, human resources and investor relations documents.

“If we will not come to an agreement, then your source codes will be sold or leaked online and your documents will be sent to our contacts in gaming journalism. Your public image will go down the sh**ter even more and people will see how sh**ty your company functions. Investors will lose trust in your company and the stock will dive even lower!” they said.

CD Projekt said: “Although some devices in our network have been encrypted, our backups remain intact. We have already secured our IT infrastructure and begun restoring the data.

“We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data. We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to the breach.”

CD Projekt said that while the investigation was still ongoing, at this stage there is no indication that any of the compromised systems contained any personal data on its players or users of its services. It is already working with law enforcement, forensic cyber security investigators, and the Polish data protection regulators.

There is currently no indication or information as to which strain of ransomware was used in the attack.

Sumo Logic’s Europe, Middle Easter and Africa vice-president, Ian Chidgey, commented: “Based on the note shared by CD Projekt, this appears to be an attack on the company’s software development process that led to the hackers getting in.

“Finding a tool that is not secured properly and then using lateral movement within the network to launch ransomware has become a more common approach for hackers, as it does lead to ransom payments. However, the note may not be telling the truth, and the issue may be elsewhere. 

“Securing the whole software supply chain is a higher priority for companies of all kinds these days after the SolarWinds attack in late 2020. For companies where code is their product, this is even more important to get right. Putting strong observability processes in place can help in these circumstances to show where things are out of the ordinary.

“For games developers and publishers, protecting their operations involves securing game assets and IP alongside the cloud instances and services running the games instances.

“For the biggest games, the data volumes coming from players in the cloud leads to this being a machine-readable problem and no longer a human readable issue. If we are able to observe our software supply chains and all the data loads created by online gaming instances over time, we can be more secure,” said Chidgey.

ProPrivacy’s Ray Walsh also said the attack demonstrated the importance of securing intellectual property for software companies, and said the company now faced a dilemma, as if its attackers make good on their threat and leak the source code online, this would enable cracked versions of its games to proliferate online, causing damage to its bottom line.

“The possibility of an inside job is, of course, plausible. The bad press caused by the early release of Cyberpunk 2077 in a buggy state, as well as reports that CD Projekt blamed its developers for the issues, could well have left a bad taste in somebody's mouth,” said Walsh.

“We will now have to wait and see exactly what forensic analysis reveals about this hack so that CD Projekt can ascertain exactly what data was affected and what exactly might potentially be at risk.

“The good news is that initial reports appear to show that no consumer-related data was lifted. However, consumers will need to watch this incident closely to be sure that no personal data was affected that could be leveraged for phishing or ID fraud, for example,” he said.