Crytek Confirms Data Theft After Egregor Ransomware Attack


German game developer and publisher Crytek has accepted that its encrypted systems containing customers’ private details were breached by a ransomware gang known as Egregor who later leaked the same on the dark website. 

Earlier this month, Crytek sent out breach notification letters to the victims of the ransomware attack in which it acknowledges the ransomware attack that occurred in October 2020. The letter was shared with BleepingComputer by one of the customers impacted in the incident. 

"We want to inform you that Crytek was the victim of a ransomware attack by some unknown cyber-criminals. Ransomware is a form of malware that encrypts files on the systems of the attacked company. During that attack certain data had been encrypted and stolen from our network. We took immediate action to prevent the encryption of our systems, further secure our environment, and initiate an internal and external investigation into the incident," Crytek said in a letter mailed to one of their customers impacted by the encryption breach.

The company tried to reassure impacted individuals by saying "the website itself was difficult to identify, so that in our estimation, only very few people will have taken note of it." In addition to this, the enterprise also wrote that considering the size of the leaked data, it would have taken too long to download it anyway, which would probably have been a significant obstacle for individuals that wanted to get a hold of the data. 

The company also believes that those who attempted downloading the leaked data were discouraged by the "huge risk" of compromising their systems with malware embedded in the leaked documents.

Crytek's attempts to downplay the seriousness of the data breach don't hold water because attackers who really wanted to get their hands on leaked data would use a virtual machine and downloader to safely open what they download. The stolen data leaked by Egregor on their data leak website contained files related to WarFace, the cancelled Arena of Fate MOBA game, and documents that included information about their network operations.

So far, Egregor has targeted many well-known companies and organizations around the world, such as Barnes and Noble, Kmart, Cencosud, Randstad, and Vancouver’s TransLink metro system. In February, many members of the Egregor ransomware group were captured in Ukraine during a coordinated operation between the French and Ukrainian authorities. This happened because French law enforcement was successful in detecting some ransom payments that were transmitted to some people residing in Ukraine.