CD Projekt Red is one of the most important independent video game studios on the planet with a capitalization close to 10 billion dollars thanks to bestsellers such as The Witcher 3: Wild Hunt. It is also well known for its GOG store, highly appreciated by users for launching DRM-free titles and one of the great alternatives in digital video game distribution to the giant Steam.
But it is not here to talk about games if not about the CD Projekt Red’s response to a security incident. Like many others, the company has not been spared a Ransomware with file encryption and theft of confidential information.
And the fact is that Ransomware continues to roam freely on the world’s computer networks. For two years it has become the main cyber threat of the technology industry And from the initial attacks a decade ago on private users, cybercriminals have seen a vein in organizations, critical infrastructures and companies that generally they usually pay extortionists.
And it is a big mistake because paying does not always guarantee the recovery of the files and also sends a terrible message: companies are willing to pay even if they do so. finance the cybercrime industry (unintentionally).
CD Projekt Red’s response
The response of this company It has surprised in the technological and cybersecurity environment. Not only have you refused to pay, but has acknowledged the incident and published the extortion, the ransom note left by hackers where they threaten to publish the source code of released and future games, as well as various internal documents.
“If we cannot reach an agreement, the source codes will be sold or leaked online and your documents will be sent to the media. Your public image will sink and investors will lose confidence in your company », the attackers write giving a period of 48 hours to comply with their demands:
Important update pic.twitter.com/PCEuhAJosR
– CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
Extortion is typical, but the study’s unusual response is not. In a statement, a defiant CD Projekt Red said that would not agree to the demands or enter into negotiations Despite fears that his decision would end in the public disclosure of his internal data and that the incident did not come in a good time after the fiasco in the launch of his last game: Cyberpunk 2077.
The company has ensured that no customer data has been compromised, although the investigation continues and has reported that it had entered incident response mode, restoring encrypted systems from backup copies and tightening the security of its IT infrastructure.
F-Secure Cybersecurity Specialists have praised the company’s response: “CD Projekt Red has done a good job of being transparent, where the statement was published almost immediately after discovering the infringement. Transparency is key to demotivating attackers from having an advantage in the negotiation process ». ESET has also pointed out the importance of this type of strategy, using “A correct protocol to resist such lawsuits and disruptions by refusing to pay attackers”.
«Securing the entire software supply chain is a high priority for businesses of all kinds these days after the attack of SolarWinds by the end of 2020. For companies where code is their product, it’s even more important to get it right ».
For game developers and publishers, protecting their operations means protecting game assets and intellectual property along with the cloud instances and the services that those instances run, as the security flaw is suspected to have been in a tool of the development process.
If security does not appear to have been the best, the response to the incident should be highlighted. And refusing to pay is a convenient strategy which helps not to feed the ‘beast’ that Ransomware has become.