Ransomware became an increasingly dire threat throughout 2020, as hackers continued to target hospitals and health care providers in the midst of a pandemic. A smaller trend has also been brewing over the last few months as well, with a rash of attacks on video game companies including Ubisoft, Capcom, and Crytek. Now the developer CD Projekt Red, which released the maligned blockbuster Cyberpunk 2077 in December, is the latest target.
On Tuesday, CD Projekt Red revealed that it had been the victim of a ransomware attack. “Some of our internal systems have been compromised,” the company said in a statement posted to Twitter. The attackers encrypted some computers and stole data, but CD Projekt Red said it would not pay the ransom and that it was restoring its systems from backups. The incident comes as CD Projekt Red faces months of sustained criticism for its bug-ridden, overhyped Cyberpunk 2077 release. The game had so many performance issues on different platforms that Sony pulled it from the PlayStation Store and, along with Microsoft, offered refunds to players.
Despite the company’s recovery efforts, it still faces potential fallout. The attackers apparently stole source code for not only Cyberpunk 2077 but other CD Projekt Red games like Witcher 3, an unreleased version of Witcher 3, and Gwent, the digital Witcher card game. The attackers also say they stole business information like investor relations, human resources, and accounting data. CD Projekt Red says there is no evidence that customer data was compromised in the breach.
“If we will not come to an agreement, then your source code will be sold or leaked online and your documents will be sent to our contacts in gaming journalism,” the attackers said in their ransom note. “Your public image will go down the shitter even more.”
CD Projekt Red has released patches for Cyberpunk 2077 in an attempt to improve the game’s stability and do damage control. But the company faces a lawsuit from investors, accusations that it forced developers to work unreasonable overtime to finish the game, and criticism about its use of nondisclosure agreements to keep journalists from reporting accurately on the game’s shortcomings prior to release.
The company says the attackers are as yet unidentified, but the ransom note and its filename, “read_me_unlock.txt,” are familiar to researchers from the antivirus firm Emsisoft.
“This attack looks to involve a type of ransomware called HelloKitty, as the style and naming convention of the note are consistent,” says Emsisoft threat analyst Brett Callow, adding that it’s impossible to say for sure without looking at the malware itself. “The group behind HelloKitty do not deploy it frequently and the most notable victim to date is Brazilian power company, CEMIG.” CD Projekt Red did not return a request for comment from WIRED.
Theories vary about why attackers would target CD Projekt Red.
“I see it as more of an opportunistic attack, or perhaps maybe even vengefulness and spite,” says independent security researcher Tony Robinson. “Ransomware operators are motivated by money, but CDPR promised a lot of things and failed to deliver on them, and there may be some that are just self-righteous and looking to make them hurt.”
Emsisoft’s Callow says he doesn’t see evidence so far that the recent spate of gaming-related ransomware attacks are connected or part of a specific targeting trend.
“I could be wrong, but I suspect the fact that a number of game developers have been hit by ransomware in recent months is nothing more than coincidence, which is something that does happen once in a while,” he says.