Earlier this week, CD Projekt Red announced that it had been hit by a ransomware attack that allegedly exposed the game’s source code, including Cyberpunk 2077, Gwent, and The Witcher 3. Security experts are now reporting that the source code was auctioned off on a dark web forum, apparently for millions of dollars.
VX Underground, which tracks ransomware and other malware attacks, noted on Wednesday that the rescued source code was posted on a dark web forum known as EXPLOIT. The initial bid was $ 1 million, with a $ 500,000 increase in bid and $ 7 million in the “buy now” price.
Cyber intelligence firm KELA confirmed the authenticity of the auction, telling The Verge that forum users needed to place 0.1 BTC (about $ 4,700 at the time of this writing) to participate in the bid as a sign that bids were legitimate. Vendors also provided file listings for Gwent and the Red Engine that supports the CDPR games as proof that the data was authentic.
Although the auction was originally planned to last 48 hours, on Thursday morning, KELA and VX Underground were Both communicating that was successfully closed. “An offer was received outside the forum that satisfied us,” wrote the sellers, according to the reports.
Victoria Kivilevich, a KELA threat intelligence analyst, told IGN that the stolen data was sold in a single package. Vendors also reportedly threatened on separate dark web forums that CDPR will now “have a lot of interest [sic] things in your living accounts [sic]”if they didn’t close the auction by paying the ransom.
CDPR said on Monday that documents “related to accounting, administration, legal, HR, investor relations and others” were taken as part of the attack, adding that “we will not give in to the demands or negotiate with the actor, being aware that this can eventually lead to the release of the compromised data. “
Security experts analyzing the ransom note shared by CDPR to have identified a group of hackers known as HelloKitty as the likely culprit of the ransomware attack. That same group was supposedly behind a ransomware attack on the Brazilian energy company CEMIG, among others, at the end of last year.
A game’s raw source code, which is used to create executable files distributed to players, is generally considered to be one of the developer’s most valuable trade secrets. In 2003, the leak of the source code of the then unprecedented Valve Half-life 2 led to the arrest of a German hacker. More recently, a large portion of the source code for Nintendo’s classic games was released online as part of the so-called “Gigaleak”.
Peter Groucutt, the managing director of the IT protection service Databarracks, said that this type of “Double Extortion” ransomware attack (where data is stolen and also blocked by an encryption key) can be a growing threat for companies with popular intellectual property. “Ransomware originally sought to simply paralyze a company [and] victims with robust backups can refuse to pay the ransom and restore their data from backups, “he said.” The difference between this attack and other double extortion attacks is that the exfiltrated data was a highly valuable IP. Even if you don’t pay, criminals can still earn a considerable amount of money by selling intellectual property. If these attacks are successful, we could see a shift to target organizations with the most valuable data. “
A recent report by cybersecurity analyst firm Coveware found that total payments for ransomware attacks fell slightly in the fourth quarter of 2020, after rising steadily in previous years, as more companies refused to pay. An increasing number of these attacks now include online data leak threats, Coveware found, and hackers often release stolen data, even if the desired ransom is paid.