When the news broke that Polish software developer CD Projekt Red (CDPR) had been hit with a ransomware attack, the company profile upstaged the actual hack, and for good reason. CDPR helped create a murderer’s row of high-profile intellectual properties in video games.
Among those properties perhaps best known is Cyberpunk 2077, a high profile (and problematic) release of last year. It featured a digitized Keanu Reeves as one of its main characters. Another CDPR game called The Witcher spun off a successful Netflix series as well as tie-in comic books and merchandise in addition to its best-seller status in its own silo.
CDPR initially announced the ransomware attack via their Twitter feed February 8.
“Your [sic] have been EPICALLY pwned!!” read the ransom note. “We have dumped FULL copies of the source codes from your Perforce server for Cyberpunk 2077, Witcher 3, Gwent, and the unreleased version of Witcher 3!!!”
CDPR refused the demands made by the ransomware gang Hello Kitty. In a public statement, the company said, “[we] will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data.”
Hello Kitty announced that it would auction the source code from CDPR’s titles with bidding starting at a minimum of $1 million in bitcoin, increasing in $500,000 increments with an option to buy them outright for $7 million. Participants in the auction needed to pay an ante of 0.1 Bitcoin, or roughly $4500. They also released the source code to one of the titles as proof, The code was verified to be authentic.
While a multimillion dollar price tag was initially met with skepticism, the source code to CDPR’s titles were allegedly snapped up on a dark web marketplace. The only stipulation was that the code not be re-sold or distributed in the future.
“An offer was received… that satisfied us,” wrote a member of the ransomware gang on a dark web forum.
The ransomware, extortion, and subsequent release of data bears some similarities to the 2014 Sony Pictures hack, where hackers thought to be connected to the North Korean government acquired and leaked a trove of intellectual property, including as-yet unreleased movies, scripts, and internal correspondence from the film studio. In both cases, major figures in the entertainment industry associated with high-profile intellectual properties faced a loss of revenue and internal data.
Where the CDPR breach differs is the nature of the data that was stolen. For a video game studio, the compromise of data is a compromise of the company’s DNA, including the functionality, look, and feel of their productions. Character art and design, as well as complicated physics software to control how players can interact are key components and valuable trade secrets.
Some skepticism does remain as to whether or not the source code itself was auctioned off.
“There is another possible scenario that we think is more likely: no buyer exists and the closure of the auction is simply a means for the criminals to save face after failing to monetize the attack following CD Projekt’s refusal to pay the ransom,” wrote cybersecurity analyst Brett Callow.
Takeaways:
- The extortion schemes connected to ransomware are becoming more sophisticated. The complexity and high price point of the compromised data from CDPR may become a trend.
- The video game industry is increasingly targeted by hackers and other threat actors. Recent targets including Nintendo, Capcom, and CDPR.
- The rule of the road is still the same: Don’t negotiate with hackers.