Polish game developer CD Projekt Red (CDPR) is refusing to the pay the ransom demanded from hackers after a cyber attack.
CDPR, famous for developing the Witcher game series and the recently released Cyberpunk 2077, had company documents and source code stolen and held under ransom.
In a released statement on Twitter, the company acknowledged that its internal systems had been ‘compromised’, and that an unauthorised actor has gained access to its systems.
CDPR released a copy of the ransom note in the tweet, in which the hackers state they had copied documents, such as those relating to accounting, administration legal, HR, investor relations and more, to an external system.
“If we will not come to an agreement, then your source code will be sold or leaked online and your documents will be sent to our contacts in gaming journalism,” the note continued, giving a deadline of 48 hours.
In response, CDPR said: “We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data.
“We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to the breach.”
Important Update pic.twitter.com/PCEuhAJosR
— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
The studio also said that no personal data was stolen in the attack and that it has “already approached the relevant authorities” to investigate further.
The hack comes off the back of a difficult few months for the popular game developer. The hotly anticipated Cyberpunk 2077 game was met with a frosty reception after suffering from a variety of in-game bugs and issues.
CDPR was forced to apologise for the state of the game, and offered a refund to players, though their reputation was already impacted.
- ABI defends against claims ransomware pay-outs fund crime
- Compromised accounts a serious cyber risk for top games companies
- 5 of the worst ransomware attacks of the past 5 years
Antti Tuomi, Principal Security Consultant at F-Secure, praised the games studio for their handling of the attack.
“In many cases, ransom attacks might not have actually even succeeded in an attack but are luring the target to react quickly and pay a ransom to avoid consequences,” Tuomi said.
“In this case, however, based on CDPR’s message, it appears they have been able to triage the case at least to the level that the breach did indeed happen and that part of their data was indeed encrypted. This lends credibility to the attack.
“The difficult aspect about the data being breached is that there is no reliable way to ever ensure it won’t be published – once it has been copied, you have no means to ensure all copies are deleted even if you paid the ransom.
“CDPR is doing the right thing both for themselves and their customers by acknowledging the issue and its impact as well as informing everyone about what was affected and whether individuals should be worried about their data. Also, not agreeing to pay the ransom, even if it did cause their unreleased game source and assets to be leaked, is commendable.
“Finally, having a working backup system to restore from is likely a sigh of relief for them”.