CDPR has already announced that its next major February patch for Cyberpunk 2077 would be delayed for a few weeks as a result of the company’s ransomware attack, but did not give a firm reason why. Cynics might have wondered if this delay had something to do with the actual attack itself. Gabe Newell once delayed Half-Life 2 a year after a hacker stole the source code, only to later admit that he had used the hack as an excuse for the delay he was going to have to announce no matter what.
The good news is that CD Projekt Red doesn’t seem to be doing anything that cynical. The bad news, according to Bloomberg, is that the company’s developers are still unable to access their own workstations due to the ransomware attack. CDPR’s VPN (virtual private network) remains inaccessible for more than two weeks after the attack.
CD Projekt Red has refused to pay the ransom demands, but has apparently not found an alternative solution to their problem. We are not suggesting that the company should automatically pay hackers. If anything, paying these people could prove a viable market to hold game developers hostage, especially if attackers could pull it off just before a game is supposed to go gold.
The Bloomberg report also sheds light on the effect the hack has had on CDPR developers. Employees have been advised to freeze all their accounts and report the potential for identity theft to the appropriate authorities, based on the idea that hackers may have had access to this information. In addition, they were asked to send their computers to the company’s IT staff for analysis for potential malware and security attacks.
This is not a good sign
This report, if accurate, implies that CD Projekt Red is in worse shape than it appears. Staff were reportedly told that the attackers “may” have accessed their personally identifiable information. This, combined with the part of shipping their own systems, could mean that CDPR has not yet identified the attack vector or the exact data stolen.
CDPR’s initial hack announcement noted that the company had engaged the services of IT forensic specialists. The vast majority of forensic specialists can also help a business reconnect after a security breach like this, including restoring employee access to critical backend systems like the corporate VPN. If they don’t already have it up and running, this raises some other difficulty with the investigation.
Even if CDPR had backups, there is no guarantee that those backups are not encrypted as well. Protected or off-site backups, if any, may have been old or incomplete. Ransomware attacks can be very difficult to defend without a solid backup strategy. We hope that the delay is due to a delay in the investigation, not a lack of adequate backups. If CDPR cannot decrypt your volumes, you will have no choice but to pay the ransom or restart work with anything you can improvise.