CD Projekt Red hit by ransomware attack, says it won’t pay up

Lots of source code was stolen, but it seems like no personal information has been compromised.

CD Projekt Red, developer of last year’s most botched game release, has found itself subject to a ransomware attack. The company has decided not to acquiesce to the attacker’s demands, it said in a tweeted statement early this morning.

“An unidentified actor gained unauthorized access to our internal network, collected data belonging to CD PROJEKT capital group, and left a ransom note the content of which we release to the public,” the company writes.

No personal information has been accessed, as far as the company can tell, and it’s already contacted law enforcement and IT forensic specialists to investigate. CD Projekt Red says its backups remain intact and they’re already being restored.

After everything CD Projekt Red has been through in the last few months, you’d think the universe would finally be done wreaking havoc upon the company. But here we are.

Hello, CD Projekt — The intent and seriousness of this ransomware attack is difficult to judge based on the ransom note alone. “Your have been especially pwned!!” the note begins — and it doesn’t get much better written from there. The attackers say they’ve grabbed the full source code for Cyberpunk 2077, The Witcher 3, and Gwent. They claim to have also copied all documents related to accounting, legal, HR, investor relations, “and more.”

CD Projekt Red

It sounds like CD Projekt Red has locked down its hatches as best as possible, now. This isn’t the company’s first ransomware rodeo — back in 2017, an attacker left a similar note for the company. The public never saw much out of those threats.

A series of unfortunate events — CD Projekt Red has had a rough month and also a rough year. Just last week the company found itself in a somewhat sticky situation: just days after the launch of Cyberpunk 2077’s official modkit, the company issued a statement warning that most mods had the potential of opening up a user’s computer to cyberattacks.

Of course, that’s small fries in comparison to the company’s other troubles in months prior. We’re all familiar at this point with the intense flop of a launch for Cyberpunk 2077, so we won’t dwell too long on the intimate details. Suffice it to say this attack is certainly the equivalent of kicking someone when they’re already down.

CD Projekt Red is already facing lawsuits from scorned investors let down by the hype monster. The company’s struggle is far from over: it's going to be a very long time — if ever — before it recuperates from the setbacks of the last few months.