- CD Projekt said hackers accessed its internal network, encrypted its servers and left a ransom note threatening to release the source code of its games.
- The Polish video game developer said it doesn't believe the compromised systems contained any personal data.
- CD Projekt is racing to fix its Cyberpunk 2077 game after a deluge of complaints about bugs and poor performance on older consoles.
LONDON — CD Projekt, the developer of troubled sci-fi video game Cyberpunk 2077, said Tuesday it's been hit with a cyberattack.
The Polish studio said hackers accessed its internal network, encrypted its servers and left a ransom note threatening to release the source code of its games.
"Although some devices in our network have been encrypted, our backups remain intact," CD Projekt said on Twitter. "We have already secured our IT infrastructure and begun restoring the data."
"We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data," the firm added.
"We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to the breach."
In its tweet, CD Projekt also included the ransom note from the attackers. The note reads: "If we will not come to an agreement, then your source codes will be sold or leaked online and your documents will be sent to our contacts in gaming journalism."
Jon Niccolls, EMEA and APAC incident response lead at cybersecurity firm Check Point, said so-called "double extortion" ransomware attacks — where hackers steal data and threaten to leak it unless their demands are met — are becoming increasingly common.
Almost half of all ransomware incidents included the threat of releasing stolen data, Niccolls added. He praised CD Projekt's refusal to negotiate with the hackers.
"We would urge all organizations to defend themselves against the growing ransomware threat with solutions that can prevent these attacks and stop data leaks, and by training employees about the risks of phishing emails, as this is how many ransomware exploits are launched," Niccolls said.
"Our research shows that on average, every 10 seconds an organization becomes a victim of ransomware worldwide, but CD Projekt Red is doing the right thing by refusing to give in to the hacker's demands."
CD Projekt said it doesn't believe the compromised systems contained any personal data. The company said it has contacted law enforcement and Jan Nowak, the president of Poland's Personal Data Protection Office (UODO), as well as IT forensics investigators.
A spokesperson for the UODO confirmed to CNBC it had received a personal data breach notification from CD Projekt on Tuesday.
It's been a tough few months for CD Projekt. The company was hit with a deluge of complaints from gamers upon the delayed release of its highly-anticipated Cyberpunk game due to numerous bugs and poor performance on older consoles.
The company has been racing to issue fixes to improve the game's performance. Sony pulled the title from its digital PlayStation Store over the situation, and it's not clear when it will return. Analysts at the time said it was highly rare for a console to delist a AAA game over quality issues.
Shares of CD Projekt sank 5.5% on news of the cyber attack Tuesday. They're down more than 30% since Cyberpunk's release in December.
CD Projekt is also known as the studio behind the critically-acclaimed role-playing title The Witcher 3.