back to article CD Projekt Red 'EPICALLY pwned': Cyberpunk 2077 dev publishes ransom note after company systems encrypted

CD Projekt Red, the Polish developer of Cyberpunk 2077 and The Witcher 3, has disclosed a major security incident in which several company systems were encrypted and confidential data stolen. The studio took the unusual step of publishing the ransom note left by the hackers, which threatens to release the source code for its …

  1. Aaiieeee

    I reckon they are taking the right approach based on the article.

    Since all the source code nabbed was for games already released, is it that much of a commercial issue for it to be made public? Most people out there will never know about this and its not likely to impact game sales?

    1. Anonymous Coward
      Anonymous Coward

      Re: I reckon they are taking the right approach based on the article.

      Hopefully the hackers will patch it and release it.

      1. Robert Carnegie Silver badge

        Re: I reckon they are taking the right approach based on the article.

        I deplore hackers, but if they've got the source code for "Cyberpunk 2077", isn't that enough punishment? Or would you make them play it?

    2. Mike Richards Silver badge

      Re: I reckon they are taking the right approach based on the article.

      More than likely there is a proprietary game engine or AI system that CD Projekt will want to keep under wrappers.

      Though if some of the reviews are to be believed, they might benefit from Open Sourcing Cyberpunk and asking people to fix some of the bugs.

      1. sev.monster Bronze badge

        Re: I reckon they are taking the right approach based on the article.

        Ugh, I really hope they leak the source so the community can finish the game and fix bugs. I wish I were joking.

        I will be first in line editing that trash.

    3. 142

      Re: I reckon they are taking the right approach based on the article.

      There was a completely separate cyberpunk multiplayer game. If the source code for that has been leaked, that will be a major problem for that game's progress.

  2. revenant

    "...your documents will be sent to our contacts in gaming journalism"

    That seems to be an odd sort of threat. Are there any gaming journalists happy to own up to having contact with scum like these?

    1. Anonymous Coward
      Anonymous Coward

      Re: "...your documents will be sent to our contacts in gaming journalism"

      More blackmail? Either send us bitcoins or you'll become one of our "contacts". ;-)

    2. Anonymous Coward
      Anonymous Coward

      Re: "...your documents will be sent to our contacts in gaming journalism"

      There are very few gaming "journalists" who don't just jump however high game publishers tell them to.

      But I wouldn't be surprised if the few people who do actually bite the hands that feed the games "journalism" industry see the "scum like these" as the lesser of two evils when compared to the activities of "triple-A" game publishers.

  3. Anonymous Coward
    Anonymous Coward

    Cyberpunked

  4. Chewi
    Linux

    A good opportunity to open source these games? We could get some native Linux versions out of this! You never know, the community might even fix a few of those pesky bugs. ;-)

    I'm only semi-serious, of course. Whatever they choose to do, this is still a shitty thing to happen to any company.

    1. Blackjack Silver badge

      You can't open source games like that unless the IP owners are okay. What you can do is make a similar game. Just like SuperTuxKart is similar to Mario Kart and Crash Team Racing.

      1. Alan Brown Silver badge

        or SCUMM-like engines enabling the games to be run in various environments

        1. ssokolow

          That's different. That's either reverse-engineering the engine from scratch or accepting donations of source from the legitimate copyright holders (ScummVM has done both, depending on which engine you're talking about) so that it's legally clean.

      2. sev.monster Bronze badge

        They absolutely can release the source, and I absolutely will break copyright and IP law to make the game less garbage. Is it "open source"? Not really, but the source is open for the taking, so semantics schemantics.

  5. Anon
    Holmes

    Go get 'em!

    Did the hackers pause to consider that the victim might have enough money to put a considerable bounty for their imprisonment on their heads?

    1. Missing Semicolon Silver badge
      Devil

      Re: Go get 'em!

      "imprisonment"? Yeah, a bounty for imprisonment. There are other bounties.....

      1. seven of five Silver badge

        Re: Go get 'em!

        Eh, this is Poland, not Belaurus or Ukrania.

      2. GreggS

        Xerox

        I like the dark chocolate one.

  6. Duffaboy

    Let them publish the source code

    and in doing so we can help them patch their games

  7. SJP

    Air-gap

    I want to say, “When will major companies learn!? Air-gap your most important Intellectual Property!”

    Avoids theft and denial of access to it.

    Closed source code crucial to the future of the company, should not be addressable outside of the company. And only key internal staff should have the physical and logical ability to create encrypted backups, as a part of their job requirements.

    No Internet connected servers, no WiFi, no Bluetooth, no wireless keyboard or pointing devices, no USB access.

    But then... COVID-19 threw a massive spanner into the works. :(

    So the next best thing, NetSec with extensive defence-in-depth, minimum privs across the board, move fast on updates, encrypted data at rest and in flight, etc.

    1. Anonymous Coward
      Anonymous Coward

      Re: Air-gap

      "encrypted data at rest ..."

      They have been helped with that one.

    2. HildyJ Silver badge
      Boffin

      Re: Air-gap

      First, CD Projekt Red is not a major company. It's got a bit over 1k employees.

      Second, even before the pandemic, developers worked remotely.

      Air-gap is a great solution if your mainframe only accepts hardwired connections from dumb terminals operated by employees and you bury it all in a mountain. Otherwise securing your connections and users is the direction to go in the current and future environment.

      1. YetAnotherLocksmith

        Re: Air-gap

        A thousand+ employees isn't "major"? Really? That's more than the entire UK owned car industry's combined head count.

        1. Loyal Commenter Silver badge

          Re: Air-gap

          Do you know anyone who drives a car made by a UK owned car company? One that is still UK owned? I don't think I know anyone at all who owns a Morgan, McClaren, or Caterham, and I know a few people who are actual classic car collectors (one tried to offload a Ford Model T ambulance on me, I wasn't biting!)

          1. Giles C Silver badge

            Re: Air-gap

            I do, a vehicle from Tiger Racing a family owned company in Wisbech

      2. SJP

        Re: Air-gap

        If you want to be pedantic about the term, "major company", it has nothing to do with number of employees. It's about revenue. On that basis, CD Projekt Red also would not be considered a major company, but I wasn't being pedantic with my use of that term.

        Avoiding air-gapping even outside of a pandemic, does not refute the benefits of air-gapping. The point I raised about COVID-19 throwing a spanner in the works, is merely to say that a pandemic makes air-gapping essentially impossible to work with during that pandemic.

        I've personally been involved with numerous air-gapped systems/data in corporate law. Where teams of people had access to systems and data which were physically and logically confined.

        Air-gapping is a thing and it's not just used inside mountains by NORAD types. Other industries use air-gapping also. It's used for life critical systems, major infrastructure, finance and it is also used in software development.

        The outcome here says it all though. If it is vital to your company that the Intellectual Property in your source code be kept secured, under normal circumstances air-gapping with minimum privs can be a viable option. It certainly is for some.

    3. a_yank_lurker Silver badge

      Re: Air-gap

      Air gapping sensitive information is an idiotic solution in most cases as it means the company should just shut down as it would be impossible to conduct any business with customers. To much business is conducted online today for isolation to be remotely effective.

      1. SJP

        Re: Air-gap

        Oh, games developers like CD Projekt Red are in the business of providing their gaming customers with their SOURCE code? You are confused about what and how the air-gapping solution is used and what it protects.

    4. TheMeerkat Bronze badge

      Re: Air-gap

      And how you propose to “air gap” source code when developers are working from home?

      1. Loyal Commenter Silver badge
        Joke

        Re: Air-gap

        With wireless technology everyone can be air gapped!

      2. SJP

        Re: Air-gap

        I see that you didn't get to the part where I said...

        "But then... COVID-19 threw a massive spanner into the works."

  8. The commentard formerly known as Mister_C Bronze badge
    Joke

    Look for the hackers behind a hedge (fund)

    "Investors will lose trust in your company and the stock will dive even lower!"

    So just another exercise in sort-selling going on. Maybe by a more proactive hedge fund

    1. Chris J

      Re: Look for the hackers behind a hedge (fund)

      I love that Gen Z now know what short-selling is. Thanks, Reddit.

  9. SuperGeek

    Release the source

    And let someone who actually knows how to develop a game fix the thing!

    CP 2077 stinks as much as CD Project's bad PC port of Saints Row 2, which never got fixed properly. They still haven't learnt.

  10. tin 2

    bonus points...

    ...for "down the shitter". English hackers then?

    1. YetAnotherLocksmith

      Re: bonus points...

      I know a few who were really rather looking forward to their new shiny Christmas game treat, and instead got Cyberpunk 2077... So I won't say it isn't possible. And, of course, there's no EU police cooperation now!

  11. Potemkine! Silver badge

    When your source code is your biggest asset, protect it

    When I was a software developer in a previous life, we had all our source code on a network _physically_ separated from the rest of the World, on encrypted disks. To steal the code one would have to be physically in the building and to be able to break in the good servers.

    Nowadays everything is open, connected, sometimes even in the cloud. That's like putting your money on a table visible to anyone, and thinking nobody will try to break that window.

    1. TheMeerkat Bronze badge

      Re: When your source code is your biggest asset, protect it

      These days the developers, the guys who need access to the code, are working from home.

      1. Potemkine! Silver badge

        Re: When your source code is your biggest asset, protect it

        You can't have the butter, the money for the butter, and the creamer lady butt..

        It's always down to risk assessment: if you authorize WFH on your critical systems, be sure to have offline backups with restoration tested routinely, and don't mind to have your data potentially stolen.

        1. ShadowDragon8685

          Re: When your source code is your biggest asset, protect it

          That's... Exactly what they did? They're apparently restoring from backup.

  12. 2Fat2Bald

    Air gapping is a two-edged sword as had been pointed out. Years ago (early 00s) I worked for a company where they had 2 air-gapped networks and the "inner" (secure) network literally not routed outside the building at all. So how did people WFH or whatever? - KVM over IP. Yep, they literally VPN'd into the "outer" (admin/general) network and jumped onto a KVM switch that was attached to a desktop PC (I kid you not) in a rack that was on the "inner" network. So you had full access and could work with (and screen-shot!) anything. You just couldn't copy anything off to anywhere as there were precisely no routes off that network. All you could do is type, mouse and watch.

    Always struck me as a simple answer to a problem.

    To extract stuff I suppose you could pull something up, scroll through it and use OCR to reconstruct it or use a virtual keyboard to "type" malicious code in very quickly? - this is the thing. There's always a way.

  13. Andre Carneiro

    2021 continues where 2020 left off

    I'm actually feeling sorry for the buggers. It's not being an easy few months for them.

    Great PR moved, IMHO. Being honest about it reduces the leverage from the blackmailers and may even garner some public sympathy (has done for me!).

    1. ShadowDragon8685

      Re: 2021 continues where 2020 left off

      Remember,

      "Twenty-Twenty won".

  14. Alan Brown Silver badge

    At some point

    The response is going to be the kind stated by Liam Nielson in Taken

    Except the warning may not be issued first

    These gangs are playing with fire and risking more than just being roasted

  15. FlamingDeath Silver badge

    Sounds like an inside job

    Lots of that going around these days

    1. Andre Carneiro

      Yeah, clearly the butler did it ;)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021