Earlier this week, CD Projekt Red announced that it had been hit by a ransomware attack that allegedly exposed the source code for games, including Cyberpunk 2077 Gwent, and The Witcher 3Now security experts are reporting that the source code has been auctioned off on a dark web forum, seemingly for millions of dollars.
VX Underground, which tracks ransomware and other malware attacks, listed on Wednesday that the freely bought source code was posted on a dark web forum known as EXPLOIT. The starting bid was reportedly $ 1 million, with a $ 500,000 bid increase and $ 7 million “Buy Now” price.
Cyber intelligence firm KELA confirmed the authenticity of that auction, telling The Verge that forum users had to pay 0.1 BTC (about $ 4,700 at the time of writing) to participate in the bidding as a sign that offers were legitimate. The sellers also reportedly provided file listings for Gwent and the Red Engine that underpins CDPR’s games as proof that the data was authentic.
While the auction was originally intended to run for 48 hours, KELA and VX Underground were Thursday morning both report that it had closed successfully. “An offer was received outside the forum that satisfied us,” the sellers wrote, according to the reports.
KELA Threat Intelligence analyst Victoria Kivilevich told IGN that the stolen data was sold in one package. The sellers also threatened on separate dark web forums that CDPR will now “be very interested” [sic] things live on their accounts [sic]”if they don’t close the auction by paying the ransom.
CDPR said on Monday that documents “ pertaining to accounting, administration, legal, HR, investor relationships and more ” were taken as part of the attack, adding that the actor, knowing that this could ultimately lead to the disclosure of the compromised data. “
Security experts analyze the ransom note shared by CDPR to have identified a hacking group known as HelloKitty as the likely culprit of the ransomware attack. That same group reportedly lagged behind a ransomware attack on Brazilian energy company CEMIG, including at the end of last year.
The raw source code for a game, used to create the executables that are distributed to players, is usually considered one of a developer’s most valuable trade secrets. In 2003, the leak of the source code for Valve’s was not released Half-life 2 led to the arrest of a German hacker. More recently, a large installment of source code for classic Nintendo games was released online as part of a so-called “Gigaleak”.
Peter Groucutt, the director of IT protection service Databarracks, said this type of “double extortion” ransomware attack (where data is stolen and also locked behind an encryption key) could be a growing threat to companies with popular intellectual property. “Ransomware was originally intended to simply bring down a company [and] victims with robust backups could refuse to pay the ransom and restore their data from backups, “he said.” The difference between this attack and other double extortion attacks is that the exfiltrated data was very valuable IP. Even if you don’t pay, criminals can still earn a significant amount by selling the IP. If these attacks prove successful, we may see a shift to the organizations with the most valuable data. “
A recent report by cybersecurity analytics firm Coveware found that total payments for ransomware attacks fell slightly in the fourth quarter of 2020, after rising steadily years earlier, as more companies refuse to pay. An increasing number of those attacks now include threats to leak online data, Coveware is found, and hackers often release stolen data even when the desired ransom is paid.