Business COVID 19

Cyberpunk 2077 maker refuses to play ransomware attacker’s game

Good morning. David Meyer here in Berlin, filling in for Alan.

What should you do if you get attacked by online extortionists? If you’re CD Projekt, the Polish studio behind the Witcher games and recent blockbuster Cyberpunk 2077, the answer to the ransomware threat is openness.

This morning, CD Projekt announced on Twitter that someone had gotten into its internal network, stolen data, encrypted some systems, and left a ransom note—which the company also published in the tweet. The attackers threatened to release CD Projekt Red’s source code online and give journalists internal documents relating to accounting, investor relations and so on.

“We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data,” the company said, adding that it has notified law enforcement as well as the Polish data protection authority, even though it doesn’t believe “at this time” that players’ or users’ personal data got caught up in the heist.

CD Projekt’s share price fell as much as 6% on the news, and the replies to its tweet also show a mix of schadenfreude and disbelief on the part of some gamers—Cyberpunk 2077‘s release was plagued by bugs on the PC and older consoles, so its reputation was already precarious. Perhaps the company had no choice but to get ahead of the news, given the added reputational damage that might come from trying to cover up the breach and getting found out.

But leaving aside this context, CD Projekt’s response seems to be the right one. Downplaying the ransomware threat seems foolish when it continues to grow at a rapid pace and when the extortionists are, shall we say, less than trustworthy.

The cybersecurity firm Proofpoint released a survey yesterday suggesting two-thirds of U.S. organizations got hit by ransomware infections last year, and more than half of them agreed to pay the ransom so they could quickly regain access to their data. But only 60% actually got that access after the initial payment—the rest then got additional ransom demands, which most paid.

Probably wise of CD Projekt not to play the attacker’s game, then. More news below.

David Meyer
@superglaze

[email protected]