Riot Games, the creator of the mega popular video game League of Legends, has been hit by a ransomware attack. Hackers stole the source code for the League of Legends and are demanding $10 million from the company in exchange for not releasing the code to the public.
Riot Games has stated that it will not be paying the ransom and is working with law enforcement to investigate the incident. The company has also reassured players there is no indication that user data has been affected by the attack.
Today, we received a ransom email. Needless to say, we won't pay.— Riot Games (@riotgames) January 24, 2023
While this attack disrupted our build environment and could cause issues in the future, most importantly we remain confident that no player data or player personal information was compromised.
The stolen source code includes features that have not yet been released, and it is now uncertain if they ever will; though, the company did say that most of the content is prototype and probably would not have been released anyway. The incident also impacted the company's ability to publish game patches, and some of them may be delayed as a result.
Riot Games has stated that it is working with external consultants to investigate the attack and will release a report detailing how its development environment was breached and what measures have been taken to prevent this from happening again.
Vice's Motherboard was able to obtain the full ransom note left by the attackers:
"Dear Riot Games,
We have obtained your valuable data, including the precious anti-cheat source code and the entire game code for League of Legends and its tools, as well as Packman, your usermode anti-cheat. We understand the significance of these artifacts and the impact their release to the public would have on your major titles, Valorant and League of Legends. In light of this, we are making a small request for an exchange of $10,000,000.
We uploaded a tree list pdf file, which you can view the tree of Packman and League of Legends source. If you require any files for proof, message us and we will provide you the raw file.
In return, we will immediately remove all source code from our servers and guarantee that the files will never be released to the public. We will also provide insight into how the breach occurred and offer advice on preventing future breaches. We suggest communicating through Telegram, you can join us here:
We do not wish to harm your reputation or cause public disturbance. Our sole motivation is financial gain.
We have sent this message to the Directors only and have given you twelve hours to respond. Failure to do so will result in the hack being made public and the extent of the breach being known to more individuals.
We also want to remind you that it would be a shame to see your company publicly exposed, especially when you take great pride in your security measures. It is alarming to know that you can be hacked within a matter of hours by an amateur-level hack.
We urge you to take this matter seriously and consider our proposal."
Riot Games' decision to not pay the ransom demanded by the hackers is one that more organizations need to make. Paying the ransom does not guarantee that the attackers will delete the stolen data or stop leaking it, and some attackers have been known to double dip and continue to extort the victim even after receiving the ransom.
David Maynor, Senior Director of Threat Intelligence at Cybrary, applauds the company's decision, saying:
"This is one of the better ways to handle a ransomware event. They laid everything out, including potential downsides, but end on a cherry note that most of the stolen code was prototype and was never designed to be released. This is transparency personified."
This hack is one of several that has targeted video game creators in recent months, and it serves as a reminder for companies to prioritize cybersecurity and have a plan in place for such incidents.
Rockstar Games, which creates the Grand Theft Auto series, was breached in September 2022 when hackers stole source code for GTA 5 and 6. However, it is unlikely the two events are connected.
Follow SecureWorld News for more stories related to cybersecurity.