Cyberpunk 2077 And Witcher 3 Source Code Pwned In Brazen CDPR Ransomware Attack
Game developer CD Projekt Red announced on Twitter that it has fallen prey to a "targeted cyber attack," in which an unidentified actor (or actors, as the case might be) gained unauthorized access to its internal network and are demanding a ransom. In a ransom note left by the attacker(s), it is claimed they managed to steal the source code for a few prominent titles, including Cyberpunk 2077, The Witcher 3, Gwent, and an unreleased version of Witcher 3.
It's not clear if the hack did actually result in stolen source as claimed, though CD Projekt Red did acknowledge that the responsible party "collected certain data" belonging to the developer, and also encrypted some devices on the network. Encryption is typically a key part of ransomware attacks—attackers encrypt a victim's files, then demand a ransom (often in Bitcoin) for a decryption key. As added motivation to pay up, hackers sometimes threaten to permanently delete the data after a specified period of time.
Whatever data the hacker is in possession of, CD Projekt Red does not feel compelled to pay up.
"We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data. We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching the parties that may be affected due to the breach," CD Projekt Red said.
Reading between the lines, it sure seems like the developer is acknowledging the claims laid out by the cyber-attacker. The ransom note taunts the developer, saying it has been "EPICALLY pwned!!," and added if no agreement is reached, they would release or sell the stolen source code and various administrative documents to their "contacts in gaming journalism."
Here's the full text of the communication, as posted by CDPR:
!!!!! Hello CD PROJEKT !!!!Your have been EPICALLY pwned!!
We have dumped FULL copies of the source codes from your Perforce server for Cyberpunk 2077, Witcher 3, Gwent and the unreleased version of Witcher 3!!!
We have also dumped all of your documents relating to accounting, administration, legal, HR, investor relations and more!
Also, we have encrypted all of your servers, but we understand that you can most likely recover from backups.
If we will not come to an agreement, then your source codes will be sold or leaked online and your documents will be sent to our contacts in gaming journalism. Your public image will go down the shitter even more and people will see how you shitty your company functions. Investors will lose trust in your company and the stock will dive even lower!
You have 48 hours to contact us.
The cyberattack comes on the heels of CD Projekt Red receiving criticism over the state of Cyberpunk 2077 at launch. Following massive hype and anticipation, it was buggy at launch, and did not look or perform as users hoped on previous generation game consoles (PlayStation 4 and Xbox One). Sony even ended up removing the game from its PlayStation Store, and offered disappointed gamers refunds. This is part of what the hacker is referencing, in regards to CD Projekt Red's "public image."
As for The Witcher 3, while several years old at this point, it remains a popular game, helped in part by Netflix releasing an ongoing original series called The Witcher.