Getting your data encrypted and not knowing the password bad enough. Now imagine that hackers who encrypted your data also went online and attempted to make a buck or two on your intellectual property, by setting up an auction site. Feeling upset?
It can get worse. What if you were a publicly-traded company and hackers also contacted the media on your behalf, exposing your sensitive information and nose-diving your share prices in the process? By now, your blood ought to be boiling.
Unfortunately this is what happened to CD Project Red in the early days of this month. The famous Warsaw-based game maker fell victim to a new variant of a ransomware attack, right in the middle of releasing Cyberpunk 2077 patches and updates.
Old vs new ransomware
Now, it’s important to notice that ransomware which hit CD Projekt Red is much different than the regular (let’s call it “traditional”) ransomware which comes to mind.
Traditional ransomware generates revenue for hackers by encrypting user data and holding it ransom until the victim pays the price. But what if the victim has a robust backup solution or flat-out refuses to pay? …ransomware usually employed intimidation tactics to solve this situation. Count-down timers and threats of raising the ransom price were common ways of forcing the victim to comply. Also, there was the looming threat of ransomware infecting other computers on the network, so getting back to normal could be much more time-consuming than previously thought.
These intimidation tactics worked for a while. Nonetheless, there were companies which refused to pay, perhaps due to excellent disaster-recovery solutions in place. Hackers therefore needed a new way to generate revenue from their malicious software.
Enter LockBit in the first quarter of 2020. This new type of ransomware introduced one more step before the encryption process: sending a copy of all data to hackers beforehand.
|We also download a huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don’t forget about GDPR!|
-LockBit ransomware note
As expected, this new ransomware modus-operandi is bound to bring in more revenue. If a business refuses to pay for data lost, they might crack under the pressure to keep internal files secret and pay hackers the ransom.
With confidential data in-and, there are multiple extortion tactics out there. For example
- Threatening to sell or expose intellectual property
- Contacting the media with insider secrets
- Releasing confidential investor data
- Diminishing the value of the stock price
- Bringing negative PR to the brand
- Undermining customer and business partner confidence
- Possible legal action on behalf of third parties
- Generating GDPR and private-data related fines
just to name a few. Moreover, if threats don’t convince the victim to pay, there’s always the possibility of actually auctioning off the data to the highest bidder in an effort to make a buck or two on a successful security breach.
CD Projekt Red case
Unfortunately, CD Projekt Red fell victim to the new type of ransomware – where the data is first sent to hackers and then encrypted.
CD Projekt Red ransomware note. Source: CD Projekt Red official Twitter account.
Hackers managed to copy lots of sensitive data (or at least they claim), including source code for an unreleased version of Witcher 3 game, code for Cyberpunk 2077, Gwent, internal financial, administrative, investor relations and HR documents.
CD Project Red, however, did not give in to hacker’s demands. The company released a public statement that it will not negotiate with criminals. Hackers responded, by creating an online auction, with an initial price of $1 million for the data, with an option to “buy now” for $7 million.
Getting back to normal
For CD Projekt Red recovery should not take too much time. Any company of this size most likely has a robust disaster-recovery solution, including timely backups. This means that at most, only a day of work was lost. Moreover, if the company has a sizable IT department, running antivirus scans across the entire network or even re-installing operating systems from scratch could take a few days, but not weeks or months.
The real problem here lies with data – and I’m not talking about game-related source code. Since holding on to illegally-obtained intellectual property is a crime, releasing any competing game based on this source code would be a legal disaster for anyone who would attempt it. At most, some of the game-making know how and best practices could have been exposed during the code leaks.
The worst part is internal company documents, confidential investor relations data and future plans. By being a publicly-traded company, CD Projekt Red is very vulnerable to the loss of trust from investors and business partners and any leak of internal documents can have unprecedented consequences.
CD Projekt on the offensive
Props have to be given in how CD Projekt Red handled the situation. The company immediately owned up and released a statement on its public Twitter profile, informing all of the data breach. The company has also informed the proper authorities, thus fulfilling it’s GDPR obligations. As such, unless the authorities find an absolute lack of due diligence in CD Projekt’s data protection practices, chances for a fine are slim or next to none.
Part of the statement from CD Projekt Red regarding the cyber attack.
Source: CD Projekt Red public Twitter profile.
The CD Projekt Red case clearly shows that even the biggest players can fall victim of a ransomware attack. Hackers are more than ever determined to monetize a security breach and the new variant of ransomware is a product designed to achieve these goals.
It’s important to notice that no amount of technological solutions can provide absolute data security. Regardless of the ransomware type – the old or new – in most cases malware enters the network due to human error, and this problem needs to be addressed.
Employees are constantly bombarded by social engineering attacks and hacking attempts. Lower-level employees regularly deal with phishing and SMShing, while managers are targeted by spear-phishing, sophisticated man-in-the-middle and impersonalization attacks. C-level executives, on the other hand, are targeted by whaling. Even tech giant CEOs fall victim, which only underlines the overall effectiveness of social engineering attacks.
The only solution is to invest in proper employee training and establishing a security-conscious company culture. Anti-virus programs, firewalls and endpoint detection platforms can only go so far, as cybersecurity by nature is a cat-and-mouse game and sometimes unknowingly, employees can be playing for the wrong team.