In a cruel twist of fate, the developers of the now-infamous Cyberpunk 2077, CD Project Red, have been targeted by a ransomware attack.
The game was released with a very rocky start, at least on consoles, with multiple crashes and bugs reported on both Playstation 5 and Xbox One X versions of the game, and the Playstation 4 and Xbox One releases being nearly unplayable.
Many gamers ended up angry at the state of the game’s release and demanded refunds, causing an unprecedented refund policy to take place, which allowed both digital and physical copies of the games to be returned, including retail stores such as Best Buy, which typically has a zero policy for returning opened video games. Sony even went as far as to completely remove the title from its digital storefront until it was fixed, and it still remains delisted as of this writing, with the only active link sending you to a page with information about the refund.
With all this chaos ensuing regarding the release of their highly-anticipated title, it’s left the company with a tarnished reputation and a lot of lost revenue. It certainly isn’t a call for retaliation, however.
Hackers were able to access the company’s internal network, encrypt accessed devices and collect source code and other internal documents. They then sent a message to the developer, demanding them to come to an agreement with them, or they would be selling access to the files online to others. Among the games source codes that were being held ransom are Cyberpunk 2077, Witcher 3, Thronebreaker, and an unreleased version of Witcher 3 that offers raytracing.
On February 9th, CD Project Red responded publicly that they were a “victim of a target cyber attack” online, and stated that they would “not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data.” They proceeded to contact their local authorities and call in IT forensic specialists to assist them with the leak.
Calling their bluff, the hackers did as they promised, and posted an auction on the EXPLOIT online forum, starting the bidding at 1 million dollars, with increments of 500,000 dollars. You could also outright purchase the data for 7 million if you didn’t want to bid. To discourage non-serious bidders, they set it up so that in order to even participate in the auction, you must have deposited 0.1 Bitcoin to the forum itself.
That’s an insane amount of money for an unprecedented event. Many companies have had their source code leaked over the years, but CD Project Red putting their foot down and not giving in to the demands of their attackers sets a standard that extortion is not a viable tactic. It may still allow those hackers to make money off the process, but it likely will discourage the activity and perhaps discourage future attempts.
Ransomware can be a dangerous form of cyber attack, as attackers can compromise and lock down systems, and then, in turn, demand payment to give access back. In 2020, it was a major concern for hospitals and other health care providers during the pandemic, as the threat of being unable to access their systems during such a crisis made the demands even more lucrative. Hopefully, as companies and individuals become more aware of security vulnerabilities in their own networks, including examples from stories such as these, we will all collectively work towards alleviating these kinds of devastating attacks in the future.