CD Projekt, a Polish game developer, publisher and distributor, best known for The Witcher Series and the open-world role-playing game Cyberpunk 2077, is the latest company in the gaming industry to fall victim to a cyberattack. An unknown perpetrator managed to hack the company’s servers, steal data and encrypt files. No personal information was reportedly stolen from gamers.
Hacker Encrypts Data with Ransomware
It remains unclear when exactly the cyberattack took place. In a tweet, CD Projekt explains that an unidentified actor gained unauthorized access to their internal network on Monday. Consequently, a number of their systems had been compromised. Once inside, the hacker stole confidential information belonging to CD Projekt and CD Projekts’ parent company, CD Projekt Capital Group. The attacker also left a ransomware note, giving the company 48 hours to respond.
The perpetrator encrypted a number of devices on the network. The only way to access files encrypted by malware is to pay a ransom or, if available, recover the data from backups. If a victim refuses to pay the ransom, cybercriminals generally threaten to leak sensitive data or sell stolen information on the dark web. If confidential and competition-sensitive data does end up on the street, this can lead to serious reputational and financial harm.
CD Projekt is still investigating the incident. However, they confirmed that “to the best of their knowledge” the hacker did not compromise any gamers’ user data. All their backups also remained intact, which has allowed the company to start restoring their network and data. CD Projekt have also already approached the relevant authorities, as well as IT forensic specialists.
Source Code Leaked
So, what information did the hacker obtain? According to the ransomware note, he accessed documents relating to accounting, administration, legal, HR, investor relations and more. The perpetrator also claims he retrieved full copies of the source code for Cyberpunk 2077, The Witcher 3, Gwent and an unreleased version of The Witcher 3.
The perpetrator threatens to disclose all information if CD Projekt refuses to negotiate. Another step he is threatening to take is to send the source code of games and documents to gaming journalists. “Your public image will go down the shitter even more and people will see how shitty your company functions. Investors will lose trust in your company and the stock will dive even lower!”
People reacting to CD Projekt’s tweets have mocked the hacker’s immature language. “Y’all really got hacked by a ten year old…”, “You have been epically pwned is what we said back in MW2 when we was 10 years old hitting quickscope”, “Contacts in gaming journalism…. Wheeze”, “Gonna guess it’s a former script kiddie who never grew up.”
CD Projekt Does Not Negotiate with Hackers
CD Projekt quickly entered “incident response mode”. They communicated almost immediately about the attack, published the ransomware note, are restoring encrypted systems and are keeping people up to date. Moreover, they also immediately made clear that they would not pay the ransom.
“We will not give in to the demand nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data. We are taking necessary steps to mitigate the consequences of such a release, in particular in approaching any parties that may be affected due to the breach.”
The incident does not come at a good time for CD Project, as the company is still grappling with the disastrous end-of-year rollout of the console version of Cyberpunk 2077. The game was launched with numerous bugs. In mid-January, CD Projekt’s co-founder, Marcin Iwiński, made a public apology. In a video posted on YouTube and Twitter he explains what the days leading up to the launch looked like, sharing the studio’s perspective and asking fans not to blame the team. Marcin Iwiński acknowledged the console version “did not meet the quality standards we wanted it to meet”. Nonetheless, the game had already sold over 13 million copies by the end of December.
Growing List of Victims in Gaming Industry
CD Projekt is joining a long and growing list of companies in the gaming industry that have had to deal with a cybersecurity incident. In November, Japanese game developer Capcom was hit by a custom ransomware attack. The hacker group Ragnar Locker has since claimed responsibility for the attack. They claimed to have encrypted 2,000 devices on Capcom’s network. Next, they demanded $11 million in bitcoins for a decryptor.
Earlier the same month, game developer Crytek and publisher Ubisoft were attacked by the Egregor ransomware group. In this case, the perpetrators threatened to release the source code for Watch Dogs: Legion, a triple-A game that was released on PlayStation 4, Xbox One, Stadia and Windows PC just last month. Ubisoft refused to pay the ransom. Consequently, the source code was leaked. In addition, the hackers published documents providing details about games that were still in development.
In December, another company was crossed of the “hit list”. Game developer Koei Tecmol, known from games like Dynasty Warriors, Fire Emblem Warriors, Hyrule Warriors: Age of Calamity for the Nintendo Switch and the Dead or Alive series – was hit by a spear phishing attack. Rumor has it that the perpetrator stole a database containing personal data of 65,000 forum members.