CD Projekt Red, the developers of highly anticipated and extremely disappointing video game Cyberpunk 2077 have been hit by a ransomware attack in which hackers have claimed access to the source code of the company’s video games.
“An unidentified actor gained unauthorised access to our internal network, collected certain data belonging to CD Projekt capital group and left a ransom note the content of which we release to the public,” CD Projekt Red said in a statement.
“Although some devices in our network have been encrypted, our backups remain intact. We have already secured our IT infrastructure and begun restoring the data.”
The Polish video game developer shared a screenshot of the accompanying ransom note in which the hackers said CD Projekt Red had “been EPICALLY pwned”.
“We have dumped full copies of the source codes from your Perforce server for [video games] Cyberpunk 2077, Witcher 3, Gwent and the unreleased version of Witcher 3,” the ransom note continued.
“We have also dumped all of your documents relating to accounting, administration, legal, HR, investor relations and more.”
As well as being a video game developer, CD Projekt Red also distributes games through its digital rights management (DRM)-free online marketplace Good Old Games (GOG).
The company said none of the compromised data contained data on players or users of its other services like GOG.
CD Projekt Red said it was already in the process of restoring data from backups and would not give in to the ransom demands – even if that means ill-gotten information would be publicly released.
To our ex employees: As of this moment, we don't possess evidence that any of your personal data was accessed. However, we still recommend caution (i.e. enabling fraud alerts). If you have questions, please write to our Privacy Team dpo[at]https://t.co/0UUMoqT5tF
— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
Satnam Narang, Staff Research Engineer at cyber firm Tenable, said the developer seemed to have done the right thing by not giving into the ransomer’s demands.
“Extortion tactics, such as the theft of and subsequent threat to publish stolen documents on so-called leak websites have proven to be lucrative for ransomware gangs,” he said.
“In this case, the affected party’s backups of their systems remained intact allowing them to restore operations.
“Guidance from the FBI recommends not giving in to ransom demands because it emboldens cybercriminals to continue their efforts.
“At the end of the day, there is no guarantee that they’ll honour their word not to leak the stolen information or provide a valid, working decryption key.”
There is a hint of irony for CD Projekt Red given the prominence of hacking as a feature and theme of its latest video game Cyberpunk 2077.
Cyberpunk 2077’s release was a disaster as the game was filled with bugs, lacked features the developers promised, and was nearly unplayable on older console versions.
The release was so bad that a New York law firm opened a class action suit on behalf of the company’s investors, seeking to recoup losses by claiming CD Projekt Red mislead investors about the quality of Cyberpunk 2077 in the lead up to its launch.
Hackers behind this attack said the documents they plan to leak would further weaken CD Projekt’s public perception.
“People will see how shitty your company functions,” the ransom note said. “Investors will lose trust in your company and the stock will dive even lower.”
CD Projekt Red’s share price dropped nearly six per cent on the day it disclosed the cyber attack.