You might have seen a Triple-A game studio in the news lately as the victim of a cyberattack: CD Projekt Red. These are the folks who created Cyberpunk 2077, the Witcher video game series, and a host of others. They were recently hit by a ransomware event that left an oddly passive-aggressive ransom note, and ultimately, they responded by not responding. Not responding directly, at least.
Ransomware hackers have a vested interest in their public perception. If someone gets the inclination that the ransomware group will sell their data no matter what, then there’s no reason to even bother trying to get the ransom together. Why pay money when you have no guarantee they’ll keep their word?
They’ll go after anybody they think might have the money to pay them. Small businesses are better targets because they’re less likely to have good security, but bigger businesses are more likely to have the funds to pay the demanded ransom. As a result, businesses struck are usually not in the Fortune 500, but are large enough to make the news. This goes hand in hand with building reputation. The story hits the news, and everybody watches the interaction. If the business pays, the hackers get to show honor, and remove the encryption. If the business doesn’t, they get to hurt people, and demonstrate power. ‘Even big companies can’t stop us, what are you going to do?’
If a hacker wants to be a terrorist, they strike without warning and seek chaos. They don’t give any options that could result in bad things not happening. If a hacker wants to be paid, they show that they can hurt you badly, but they also present a way out. Nobody likes fear and uncertainty, so if evil has rules that can be followed, the fear and uncertainty of facing down evil lessens. Ransomware hackers are exploiting this – there’s hope, but only if you pay. They create rules and stick to them.
Of course, this is all due to a problem they’ve created, which is how you get CD’s response – “we don’t negotiate with terrorists.”
It’s strange to release the ransom note in a cyberattack, but CD did, along with a public statement saying they wouldn’t be contacting the hackers for ransom negotiations.
As several users have already noted, the note itself is odd. You don’t see many ransomware notes out and about because there’s usually some line that say the ransomware team will take it as bad faith. This is part of the fear and uncertainty thing mentioned above. The more mysterious the team seems, the scarier they are. And yet this team didn’t specify not to!
Additionally, using the term “pwned” is strange because “pwning” someone first meant beating them really badly in a video game, and then it meant that their personal data had been leaked in a major hacking event. They’re using it to mean the first thing, which is ancient online. How long has it been since you’ve heard “roflcopter”? That’s how long it’s been since pwned sincerely meant ruining someone in a game. Not only that, but there’s a spelling error in that same ‘pwned’ line.
The other strange part of the note is that they’re leaning pretty heavily into damaging CD’s reputation, not their operations. Quite frankly, CD Projekt Red had nothing to fear unless the accounting docs were being cooked for shareholders. Shareholders already know CD’s taken a hit after how Cyberpunk turned out. They know. There was a brief mention of HR docs and personal info, but CD didn’t find evidence that those had been tampered with. Really, it seems like they had to write a ransom note on the fly after discovering they weren’t going to be able to steal all the data they had planned to, so they leaned into what they had instead: the source code, some accounting docs, and unreleased parts of their best-selling games. CD knows this and responds by calling their bluff in a calm and professional manner. “We have a backup.”
It’s a pretty textbook ‘recovery mode’ answer – personal data wasn’t lost in the breach, and the company has both backups and the ability to get into forensic IT. They still have their source code, even though a copy of it was lost. And as said before there’s no evidence that they got as deep into those HR docs as they wanted to, so there’s not really any danger to irreplaceable things like personal safety.
CD Projekt Red wasn’t forced to pay!
It sucks that the source code’s out there, somewhere, but Projekt Red’s decided that’s an acceptable loss. In my opinion, they’ve made a good choice. No big-name studio is going to buy the source code of their competitor if their audiences can tell where it came from. We haven’t seen who bought the source code and the unreleased Witcher 3 (they claim to have) yet, but odds are good they’re going to sit on it for a while to see if the media attention dies down. It’s like buying a stolen painting – you can never display it for what it is until the crime’s out of public memory.
(The responses on their Twitter alert are actually kind of funny in a morbid way – the yellow background used for CyberPunk 2077 status updates wasn’t used in their description of the hacking event, so Twitter users jumped to that first. Looks like bad news comes on white and yellow backgrounds.)
Source code is essentially the soul of a system. Someone else having the source code shouldn’t mean that they need to re-do it all if they also still have backup copies. After all, mod-makers and amateur game designers alike use other software to get deep into the game’s coding to change things, it’s not necessarily a secret, more like a proprietary recipe for fried chicken that could be recreated with chemical analysis and patience. The ransomware team seemed to be banking on the idea that they didn’t have a backup based on that note. Losing the only copy of the source code would have been catastrophic!
It could still be a problem, however. It takes a team of dozens to hundreds of people to make a good, solid, triple A game like CD Projekt Red produces on the regular, and that’s a lot of foundational work that game creators would love to skip. The person (or organization) that bought the source code off the ransomware team stipulated that they couldn’t sell that source code to anywhere else, and as far as we know right now, they haven’t. The person/org who bought it also hasn’t shared it any further either.
Having the source code could theoretically mean that a free download of the game pops up somewhere and slashes sales for the legitimate copy of the game – it’s hard to tell if that’s what they were implying when they showed screenshots of the file menus for Gwent, another CD Projekt Red game. But, as mentioned before, any legitimate studio trying to profit off of it could potentially be sued for copyright infringement. Anyone aiming to reconstruct the game with the source code is doing so to hurt Projekt Red, not to make money.
To Leak or Not To Leak
In the modern world, many companies have had time to prepare for the nightmare that is a ransomware attack. However, cyberattacks are an arms race, and ransomware hackers are aiming to inflict pain. Instead of encrypting everything and demanding money for the key, some threaten to release data instead of destroying it.
A lot of big companies keep backups. If someone can just factory reset their devices and be done with it, the ransomware team has no leverage. Copying that data gives them leverage. It didn’t work here, but it works on government orgs and healthcare systems.
How To Avoid It?
Ransomware can get in a lot of ways, but social engineering tops the list for ease-of-execution. The best way to combat that is solid training for your employees! No clicking on strange links, no downloading attachments from outside the org, no, no, no. Simply knowing what an attack might look like will shore up defenses.
To keep network weaknesses from being an entry point, an anti-virus that uses sandbox technology would notice the odd behavior before it let the virus deeper into the system, unless it was something as technologically advanced as the SunBurst attack a few weeks prior. Most ransomware hackers aren’t looking to get that intense with it. Sunburst was a state-of-the-art program and was likely state funded! Most (not all) ransomware teams lack those resources.
Network segmentation can also help prevent ransomware attacks from completely tanking operations. Requiring certain levels of permissions as well as separate sign-ins for different networks can help to keep everyone safe. Nobody from HR needs to see the code files, and none of the software engineers need un-filtered access to HR’s stuff. By keeping these two drives/networks separate, there’s extra steps to share info, but there’s also a barrier between the two. Hackers won’t be able to get everything!
And, as always, backups help. CD Projekt Red would have been in a terrible spot if they didn’t have a backup of their source code to continue working from, or backups of their financial documents. The backup effectively saved them the cost of the ransom and allowed them to go public with the ransom note. Seeing a big company stay on it’s feet after being hit with ransomware makes it just a little bit less scary the next time it happens to a smaller group!