CD Projekt has issued a statement, saying that unspecified ransomware attacked the company’s information systems. The company, known for game series The Witcher and the notorious Cyberpunk 2077 project and behind digital distribution service GOG.com, says that to its knowledge users’ personal data wasn’t affected by the attack.
According to the statement, unknown hackers penetrated internal company systems, downloaded a significant amount of data, encrypted all information, and left a ransom note. In the note, they threatened CD Projekt with the publication of the data they’d acquired. This modus operandi corresponds with ransomware tactics common over the past few years, not only encrypting data, but also threatening to leak it.
The incident might be just another fast-disappearing news item about a ransomware attack if not for the company’s reaction to the attack. CD Projekt says it does not plan to give in to any demands, or even to negotiate with the ransomware operators. Instead, the company plans to focus on mitigation, in particular by working with potentially affected third parties. In addition, CD Projekt published the ransom note.
We support the decision not to pay, as well as such transparency in communications about the incident. Any payment to extortionists makes their ransomware business more profitable and supports the development of more and better malicious tools — but does not guarantee the criminals won’t publish the stolen data anyway. (CD Projekt had backups of all critical information, so recovering the data was never an issue in this case.)
What was stolen?
The ransom note’s list of compromised data is suspect — criminals are not necessarily trustworthy reporters — but it’s the only information the public has about what was stolen. CD Projekt neither confirmed nor denied its accuracy. The criminals claimed they stole information from the Perforce version control server, including the full source code of several games:
- Cyberpunk 2077,
- Witcher 3,
- An unpublished version of Witcher 3.
Moreover, the hackers claimed to have documents from the accounting, administration, legal, human resources, and investor relations departments, and they threatened to send the information to gaming journalists to destroy the developers’ reputations.
CD Projekt is already working with law enforcement agencies and cybersecurity specialists and plans to investigate the incident thoroughly. Without information about the contents of the stolen documents, predicting the results of the leak would be difficult, but overall, the company’s incident response tactics should soften its potential reputational damages.
As for the potential source code leak, it may spur cybercriminal groups to begin analyzing the company’s products, searching for vulnerabilities. If they succeed, that could pose a danger to users, especially those using online multiplayer games.
That’s why we always recommend particular caution in development environments, which should be isolated from general corporate networks and protected with robust security solutions.