Ransomware became a a growing threat in 2020 as hackers continued to target hospitals and healthcare providers during a pandemic. A smaller trend has also been emerging in recent months, with a wave of attacks on video game companies including Ubisoft, Capcom and Crytek. Now the developer CD Projekt Red, which released the maligned blockbuster Cyberpunk 2077 in December, is the last target.
On Tuesday, CD Projekt Red announced that it was the victim of a ransomware attack. “Some of our internal systems have been compromised,” the company said in a statement statement posted on Twitter. The attackers encrypted some computers and stole data, but CD Projekt Red said it would not pay the ransom and restore its systems from backups. The incident comes as CD Projekt Red faces months of continued criticism for its bug-ridden, overhyped Cyberpunk 2077 release. The game had so many performance issues across platforms that Sony pulled it from the PlayStation Store and, along with Microsoft, offered players refunds.
Despite the company’s recovery efforts, it still faces potential consequences. Apparently, the attackers didn’t just steal the source code Cyberpunk 2077 but other CD Projekt Red games like Witcher 3, an unreleased version of Witcher 3, and Gwent, the digital Witcher card game. The attackers also say they stole company information such as investor relationships, human resources and accounting records. CD Projekt Red says there is no evidence that customer data was compromised during the breach.
“If we don’t come to an agreement, your source code will be sold or leaked online and your documents will be sent to our game journalism contacts,” the attackers said in their ransom note. “Your public image will become even more confused.”
CD Projekt Red has released patches for Cyberpunk 2077 in an effort to improve the stability of the game and limit damage. But the company is facing a lawsuit from investors, allegations that it forced developers to work unreasonably overtime to finish the game, and criticism of using nondisclosure agreements to prevent journalists from accurately reporting on the game’s shortcomings prior to the game. release.
The company says the attackers have not yet been identified, but the ransom note and file name “read_me_unlock.txt” are known to researchers at the antivirus company Emsisoft.
“This attack appears to involve a type of ransomware called HelloKitty as the note’s style and naming convention are consistent,” said Emsisoft threat analyst Brett Callow, adding that it’s impossible to say for sure without going to the malware itself. “The group behind HelloKitty does not use it often and the most notable victim so far is the Brazilian energy company CEMIG.” CD Projekt Red did not return a request for comment from WIRED.
Theories differ as to why attackers would target CD Projekt Red.
“I see it more as an opportunistic attack, or maybe even as revenge and resentment,” said independent security researcher Tony Robinson. “Ransomware operators are motivated by money, but CDPR made many promises and failed to deliver, and there may be those who are just self-righteous and try to hurt them.”
Emsisoft’s Callow says he sees no evidence so far that the recent wave of gaming-related ransomware attacks is related to or part of a specific targeting trend.
“I could be wrong, but I suspect that the fact that some game developers have been affected by ransomware in recent months is nothing more than a coincidence, and it does happen,” he says.