Ransomware has become a increasingly dire threat throughout 2020, as hackers continued to target hospitals and healthcare providers in the midst of a pandemic. A minor trend has also been forming in recent months, with a wave of attacks on video game companies, including Ubisoft, Capcom and Crytek. Now, the developer CD Projekt Red, who launched the famous blockbuster Cyberpunk 2077 in December, it is the most recent goal.
On Tuesday, CD Projekt Red revealed that it had been the victim of a ransomware attack. “Some of our internal systems have been compromised,” said the company in a declaration posted on Twitter. The attackers encrypted some computers and stole data, but CD Projekt Red said it would not pay the ransom and is restoring its systems from backups. The incident occurs at a time when CD Projekt Red faces months of constant criticism for its exaggeration Cyberpunk 2077 launch. The game had so many performance problems on different platforms that Sony withdrew it from the PlayStation Store and, together with Microsoft, offered refunds to players.
Despite the company’s recovery efforts, it still faces potential consequences. The attackers apparently stole the source code not only for Cyberpunk 2077 but other games from CD Projekt Red like Witcher 3, an unreleased version of Witcher 3and Gwent, the Witcher digital card game. The attackers also claim that they stole business information, such as investor relations, human resources and accounting data. The CD Projekt Red claims that there is no evidence that customer data has been compromised in the breach.
“If we don’t reach an agreement, then your source code will be sold or leaked online and your documents will be sent to our contacts in gaming journalism,” said the attackers in their ransom note. “Your public image is going to fall even more.”
CD Projekt Red released patches for Cyberpunk 2077 in an attempt to improve the stability of the game and do damage control. But the company faces a lawsuit from investors, accusations that it forced developers to work absurd overtime to end the game and criticism about the use of confidentiality agreements to prevent journalists from accurately reporting the game’s deficiencies before launch.
The company says the attackers have not yet been identified, but the ransom note and its file name, “read_me_unlock.txt”, are familiar to researchers at the antivirus company Emsisoft.
“This attack appears to involve a type of ransomware called HelloKitty, as the note’s style and naming convention are consistent,” said Emsisoft threat analyst Brett Callow, adding that it is impossible to say for sure without looking at the malware in itself. “The group behind HelloKitty does not deploy it often and the most notable victim so far is the Brazilian energy company, CEMIG.” CD Projekt Red did not return a request for comment from WIRED.
Theories vary as to why the attackers target the CD Projekt Red.
“I see this more as an opportunistic attack, or perhaps even revenge and spite,” said independent security researcher Tony Robinson. “Ransomware operators are motivated by money, but CDPR has promised many things and has failed to deliver on them, and there may be some who are hypocritical and seek to hurt them.”
Emsisoft’s Callow says he has seen no evidence so far that the recent wave of gaming-related ransomware attacks are connected or part of a specific targeting trend.
“I may be wrong, but I suspect that the fact that several game developers have been hit by ransomware in recent months is just a coincidence, which happens every now and then,” he says.