3 years 4 months ago
Link
Files stolen from CD Projekt Red in a ransomware attack revealed earlier this week have reportedly now been sold in a dark web auction.
Dark web monitoring organisation KELA (which previously provided The Verge with what it believes to be legitimate file lists from CD Projekt's Red Engine) reports that an auction set up to sell the files has now been closed after a "satisfying offer" was made from outside of the forum it was being held on. That offer reportedly stipulates that the code will not be distributed or sold further. Cybersecurity account vx-underground also reported that it had heard the sale was completed.
A reported screenshot of the now-closed auction thread.[/caption]
In a report aided by KELA yesterday, The Verge explained that the auction required a deposit to enter (intended to show potential buyers that this wasn't a scam auction), with bids starting at $1,000,000, moving up in $500,000 increments. Vx-underground also reported that source code (or at least fragments of source code) for Gwent had been released, which could have been another showing of proof that the files were in hand before the auction.
While still unconfirmed, multiple cybersecurity experts have pointed to the ransomware attack coming from a group called HelloKitty, based on the title and contents of the ransom note posted by CD Projekt following the hack.
Speaking to IGN, Victoria Kivilevich, a threat intelligence analyst at KELA explained that it appears all of the files stolen – which apparently include source code for Cyberpunk 2077, multiple versions of The Witcher 3, and Gwent – were sold in a single package. It's unclear who the buyer is, or what they intend to do with the files at time of writing. It's also unclear what price the files were sold for, but reports yesterday indicated an upfront purchase price of $7 million. Kivilevich provided IGN with a translated screenshot of a separate forum, XSS, dated February 10, in which the purported seller, redengine says CD Projekt should pay the 'blitz' (upfront purchase fee) because of sensitive data contained in the files. Of course, right now, we can't verify whether that is true. CD Projekt publicly said that it would not pay any ransom. [caption id="attachment_2472150" align="alignnone" width="1336"]Just in: #CDProjektRed AUCTION IS CLOSED. #Hackers auctioned off stolen source code for the #RedEngine and #CDPR game releases, and have just announced that a satisfying offer from outside the forum was received, with the condition of no further distribution or selling. pic.twitter.com/4Z2zoZlkV6
— KELA (@Intel_by_KELA) February 11, 2021
A reported screenshot of the now-closed auction thread.[/caption]
In a report aided by KELA yesterday, The Verge explained that the auction required a deposit to enter (intended to show potential buyers that this wasn't a scam auction), with bids starting at $1,000,000, moving up in $500,000 increments. Vx-underground also reported that source code (or at least fragments of source code) for Gwent had been released, which could have been another showing of proof that the files were in hand before the auction.
While still unconfirmed, multiple cybersecurity experts have pointed to the ransomware attack coming from a group called HelloKitty, based on the title and contents of the ransom note posted by CD Projekt following the hack.
CD Projekt had no comment when contacted by IGN for a statement. Update: This story originally stated that the screenshot above was from the auction forum, called Exploit. It is in fact from a second forum, XSS. [poilib element="accentDivider"] Joe Skrebels is IGN's Executive Editor of News. Follow him on Twitter. Have a tip for us? Want to discuss a possible story? Please send an email to newstips@ign.com.The amount of people that are thinking this was done by a disgruntled gamer is laughable. Judging by the ransom note that was shared, this was done by a ransomware group we track as "HelloKitty". This has nothing to do with disgruntled gamers and is just your average ransomware. https://t.co/RYJOxWc5mZ
— Fabian Wosar (@fwosar) February 9, 2021