UPDATE
CD Projekt Red, the videogame-development company behind Cyberpunk 2077 and the wildly popular Witcher series, has suffered a ransomware attack that could soon result in troves of company data being dumped online – including game source code.
The Warsaw-based company tweeted out a notice on Tuesday, warning of “a targeted cyberattack in which some of our systems have become compromised.”
The news comes on the heels of weeks of controversy over the company’s blockbuster release of Cyberpunk 2077, which suffered glitches and console problems that engendered high levels of dissatisfaction among fans, who had waited more than a year for the much-hyped giant sandbox game.
However, unhappy players are not likely behind the event. Researcher Fabian Wosar noted that the adversaries, according to his analysis, are likely the same ransomware group that hacked the Brazilian energy company CEMIG last December.
“The amount of people that are thinking this was done by a disgruntled gamer is laughable. Judging by the ransom note that was shared, this was done by a ransomware group we track as ‘HelloKitty,'” he said. “This has nothing to do with disgruntled gamers and is just your average ransomware.”
What is the Best Ransomware Defense? Backups
An unidentified cyberattack group “gained access to our internal network, collected certain data belonging to CD PROJEKT Capital Group and left a ransom note,” the company said.
The ransomware also encrypted the company’s systems. But interestingly, that seemed to be an afterthought for the threat actors. The company noted, “Our backups remain intact. We have already secured our IT infrastructure and begun restoring the data” – and that is exactly what the attackers seemed to have expected.
In the ransom note (also tweeted out), the cybercriminals said, “we have encrypted all of your servers, but we understand that you can most likely recover from backups.”
So, the real game afoot has to do with the information that the attackers claim to have stolen. Cyber-extortion in this case appears to be evolving to holding data for hostage rather than preventing access to mission-critical systems.
Which also means that the sophistication level of the attackers in this case is probably fairly high, researchers said.
“We’ve seen ransomware evolve, not only is it enough for criminals to encrypt data, but they will spend time within the victim’s organization, stealing valuable data, working out which data is worth encrypting and how much they should set the ransom at,” Javvad Malik, security awareness advocate at KnowBe4, told Threatpost. “In many cases, these criminals go undetected in victim organizations for many months at a time.”
Wosar noted via Twitter that breadcrumbs point to the attackers being English-speaking rather than one of the Russian-language gangs most known for spreading ransomware.
“They certainly have a better command of the English language than your average ransomware thug,” he tweeted. “The ransomware is also missing the usual check for CIS countries [the Commonwealth of Independent States, made up of ex-Soviet Iron Bloc countries]. So I wouldn’t be surprised if the group or the affiliate who pulled off the hack grew up with western culture.”
Cyber-Extortion Evolves: Data Threats
The cyberattackers told CD Projekt Red they have “dumped full copies” of the source code for Cyberpunk 2077, Gwent, the Witcher 3 and an “unreleased version” of the Witcher 3; and, stolen sensitive corporate information relating to accounting, administration, HR, investor relations, legal and more.
“Source codes will be sold or leaked online, and your documents will be sent to our contacts in gaming journalism,” according to the note, which went on to say that not paying up has an impact to the company’s public image, stock price and investor confidence. The attackers claimed that the information will expose how terribly the company is run.
Release of the source code would allow fans to develop game hacks and perform all kinds of “modding” (i.e., development of custom features) and jailbreaks; and would be a gift to competitors.
And, “if the attackers were able to exfiltrate source code for the popular Cyberpunk 2077 and Witcher games it could lead to more targeted exploit development aimed at a widespread player base,” said Chris Clements, vice president of solutions architecture at Cerberus Sentinel.
To boot, the company does financially have much to lose: CD Projekt Red stock is traded in the over-the-counter (OTC) market in the U.S. under the ticker symbol “OTGLY.” As of last year, it had reached a valuation of $8.1 billion, making it the largest video game company in Europe, even ahead of Ubisoft. At press time the stock was trading around $77 per share.
“In this case, the ransomware itself isn’t the issue – it’s more of a statement to signal that they have breached the organization,” Malik said. “The fact that the ransom note was addressed to them shows it was a targeted attack.”
He added, “The issue with this approach is that even if the victim pays the money, there is no way to guarantee the criminals will actually delete the data.”
CD Projekt Red isn’t giving in, though: “We will not give into the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data,” it said, adding that “the compromised systems did not contain any personal data of our players or users of our services.”
Important Update pic.twitter.com/PCEuhAJosR
— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
This approach is not unheard of for gaming targets. In October, the Egregor gang claimed to have lifted both source code and some proprietary files from game publisher Ubisoft. Specifically, the group threatened Watch Dogs: Legion, which at the time was still unreleased.
Insult to Injury: Cyberpunk 2077 Woes
CD Projekt Red has had its share of problems in the last few months. The company’s release of Cyberpunk 2077 in the fall didn’t go as expected, with glitches getting so bad that Sony even pulled the game from the PlayStation store, offering those who purchased it already a full refund. To make matters even worse, some users seeking refunds then experienced problems with downloading the form to register for that refund.
Meanwhile, last week the company warned about “a vulnerability in external DLL files the game uses which can be used to execute code on PCs,” which it released a hotfix for a couple of days later. The bug would allow a malicious desktop “mod” – players can use third-party modules to customize the game – to take over machines.
The title has also been a target for malware scams. Before the game was even released, threat actors were exploiting its popularity with scams offering “free copies” of the game while stealing personal information.
And in December, the CoderWare ransomware was found masquerading as a download of Cyberpunk 2077 from a fake version of the Google Play mobile app marketplace.
This post was updated at 11:40 a.m. ET with information about the Hello Kitty ransomware gang and additional researcher comments.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!