Ransomware has become a increasingly serious threat throughout 2020, as hackers continued to target hospitals and healthcare providers amid the pandemic. A more modest trend has also formed in recent months, with a series of attacks on video game companies such as Ubisoft, Capcom and Crytek. Now, developer CD Projekt Red, who released the decried blockbuster Cyberpunk 2077 in December, is the last target.
On Tuesday, CD Projekt Red revealed that it was the victim of a ransomware attack. “Some of our internal systems have been compromised,” the company said in a declaration posted on Twitter. The attackers encrypted some computers and stole data, but CD Projekt Red said it would not pay the ransom and was restoring its systems from backups. The incident comes as CD Projekt Red faces months of sustained criticism for its riddled with bugs, overloaded Cyberpunk 2077 Release. The game had so many performance issues on different platforms that Sony pulled it out of PlayStation Store and, along with Microsoft, offered refunds to gamers.
Despite the company’s takeover efforts, it still faces potential fallout. The attackers apparently stole the source code not only to Cyberpunk 2077 but other CD Projekt Red games like Witcher 3, a new version of Witcher 3, and Gwent, the Witcher digital card game. The attackers also claim to have stolen business information such as investor relations, human resources and accounting data. CD Projekt Red claims there is no evidence that customer data was compromised during the breach.
“If we don’t come to an agreement, then your source code will be sold or leaked online and your materials will be sent to our contacts in gaming journalism,” the attackers said in their ransom note. “Your public image will be even more blurry.”
CD Projekt Red has released fixes for Cyberpunk 2077 with the aim of improving game stability and controlling damage. But the company faces a lawsuit from investors, charges of forcing developers to work unreasonable overtime to complete the game, and criticism of its use of nondisclosure agreements to prevent reporters to accurately report the game’s shortcomings before its release.
The company claims the attackers have not yet been identified, but the ransom note and its file name, “read_me_unlock.txt”, are familiar to researchers at antivirus company Emsisoft.
“This attack appears to involve a type of ransomware called HelloKitty because the style and naming convention of the note are consistent,” said Brett Callow, Threat Analyst at Emsisoft, adding that it’s impossible to say for sure without looking at the malware himself. “The group behind HelloKitty does not deploy it frequently and the most notable victim to date is the Brazilian power company, CEMIG.” CD Projekt Red did not return a request for comment from WIRED.
Theories vary as to why attackers would target CD Projekt Red.
“I see it more as an opportunistic attack, or maybe even revenge and meanness,” says independent security researcher Tony Robinson. “Ransomware operators are driven by money, but CDPR has promised a lot and failed to deliver, and some may be fair and seek to hurt them.”
Emsisoft’s Callow says he doesn’t see any evidence so far that the recent wave of gaming-related ransomware attacks is connected or part of a specific targeting trend.
“I could be wrong, but I suspect that the fact that a number of game developers have been affected by ransomware in recent months is nothing more than a coincidence, which does happen from time to time,” he said.