Kavi Sivasothy
Associate
Article
10
In 2020, Polish game developer CD Projekt Red (CDPR) experienced an extreme example of Murphy's Law. Shortly after releasing Cyberpunk 2077, one of the most anticipated video games of the past five years, CDPR suffered a ransomware attack, which led to assets being frozen and exfiltrated.[1] The timing could not have been worse: the studio was dealing with critical and commercial backlash to its big release, and anonymous hackers were threatening to auction off some of its most important intellectual property – including source codes for many of its biggest video game properties.[2]
Confronted with all of this, CDPR did something unexpected. It refused to pay any ransom. Within a day of becoming aware of the breach, the developer had released a copy of the ransom note and a public message declaring its refusal to pay, daring the hackers to go ahead with their threats to sell the stolen data.[3]
There were consequences to saying no. News of the attack caused the stock price to drop, source codes for its most popular games, and personal information of employees, began appearing in the wild, and CDPR acknowledged that future projects could be affected by the leak as well.[4]
None of these repercussions were surprising or hard to foresee. So how could CDPR have refused the hackers so quickly and emphatically? If I were armchair breach coaching, I would suggest CDPR was able to say no because it was an organization that was sufficiently prepared to identify and assess the fallout from a ransomware attack. And CDPR isn't alone in refusing to play game with threat actors.
Following a steady rise in payments in the early era of ransomware, more and more organizations have begun to refuse ransom demands.[5] Part of this may be attributable to increasing distrust that payment could guarantee the safe and secure restoration of operations, but it also can be linked to organizations having increasing confidence in their own resiliency to bounce back from a hack.
Now, not every organization can just say "no" to a ransom demand. A hospital has to consider very different factors than a dry-cleaner. But all organizations should be proactive in ensuring they are positioned to 1) act nimbly when responding to a breach, 2) mitigate damages and 3) preserve the option to walk away from the threat.
Here are six things organizations can do today to become more resilient to cyber threats:
If an incident occurs, organizations must be prepared to move quickly to corral the key information and act on it. Some questions an organization must be prepared to immediate address include:
Dealing with a ransomware attack can be a surreal experience akin to being robbed at gunpoint by a ghost. Organizations that may be used to making decisions over days or weeks must be able to act within hours. Having a crisis roadmap and the capacity to quickly scan and identify what happened can significantly enhance the ability of an organization to react to the threat, however it manifests.
CDPR knew within a day that it would (and could) refuse to pay the ransom. It could not have been an easy decision to make, but one that required balancing the risks and benefits of having invaluable and sensitive information stolen against the business expediency of restoring systems and recovering assets by paying the ransom.
It is important to note that organizations that suffer a breach do not need to fend for themselves. There is an entire service industry that has grown in response to the rise in cyber security incidents. Breach coaches (who are often lawyers), as well as forensic investigators and negotiators, can offer immediate advice and expertise to organizations and help orient them in a crisis. Law enforcement and regulators are also often prepared to offer assistance when asked. There are many resources, including lawyers, who can help organizations be proactive as well, including building out the roadmap, mapping out risks, and running tabletop exercises. The better prepared an organization can be in advance of a crisis, the easier it can be to know when to just say "no".
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.