A gang behind the hack of CD Projekt Red may be asking for $1m opening bids for the company’s data.
The ransomware player responsible for an attack on videogame developer CD Projekt Red may have made good on their threat to auction off the company’s data – including source code for Cyberpunk 2077 & an unreleased version of the Witcher 3.
Or it may not have?
Russian Underground Forum
The Twitter account @vxunderground, which calls itself as “the largest collection of malware source code, samples & papers on the internet,” put out a notice on Wed that the purported stolen data was being put up for sale on the well-known Russian-language underground forum “Exploit,” & it provided alleged screenshots.
“This is the source code to ‘Gwent’ card game,” according to the tweets. “Witcher 3, CyberPunk 2077, etc. is being auctioned today on EXPLOIT forums…The ransomware authors said they will not be auctioning data anywhere else – any other location other than EXPLOIT is fake.”
@vxunderground also stated that the information had a starting bid of $1m, but they whole batch could be bought outright for $7m.
Verify
When asked to verify the claim, Austin Merritt, Cyber-Threat Intelligence Analyst at Digital Shadows, observed that the auction posting did indeed exist. An Exploit user named “redengine” created a thread in the auctions section of the site, entitled “Auction date for CD Projekt RED” when translated from Russian.
“The user claimed to have full source codes for various games including Thronebreaker, Cyberpunk 2077, Witcher 3 & the undeclared Witcher 3 RTX (a version of Witcher with raytracing),” Merritt outlined. “The user also claimed to have dumps of internal documents & files related to CD Projekt RED ‘offenses.’”
Merritt explained that the poster set the auction to start today, Feb. 11 at 13.00 Moscow time (5am ET), & that bidders would be required to make a 0.1 BTC deposit (about $44,900) to enter.
Auction
“The user started the auction at $1m, however, users have not yet expressed any interest in purchasing this information,” Merritt explained.
“At the time of writing, there have been 6 replies to the original post. Users that have replied have largely questioned the legitimacy of the post, alleging that user ‘redengine’ does not have an established reputation on the forum.”
It’s not clear if what the user is offering is real, or if the posting is from an opportunist trying to take advantage of the interest around the stolen data that emerged this week in the media.
CD Projekt Red has not responded to a request for comment or verification.
Ransomware Strike
The Warsaw-based videogame company tweeted a notice on Tues., warning of “a targeted cyber-attack in which some of our systems have become compromised.”
The attackers – believed to be part of the “Hello Kitty” ransomware gang, said that the ransomware itself would likely not be a problem for the company, which had backups in place to quickly remedy the attack.
Concerningly, the attackers threatened to release much stolen company data online – including game source code.
“We have encrypted all of your servers, but we understand that you can most likely recover from backups,” states the ransom note shared by CD Projekt Red. However, “source codes will be sold or leaked online, & your documents will be sent to our contacts in gaming journalism.”
Public Image
Then it said that not paying up would have an effect on the company’s public image, stock price & investor confidence (CD Projekt Red is traded in over-the-counter markets). The attackers also claimed that the information will expose how badly the company is run.
Release of this source code would let fans to develop game hacks & perform all kinds of “modding” (i.e., development of custom features) & jailbreaks; & would be a gift to competitors.
https://www.cybernewsgroup.co.uk/virtual-conference-march-2021/