Just in: #CDProjektRed AUCTION IS CLOSED. #Hackers auctioned off stolen source code for the #RedEngine and #CDPR game releases, and have just announced that a satisfying offer from outside the forum was received, with the condition of no further distribution or selling. pic.twitter.com/4Z2zoZlkV6
— KELA (@Intel_by_KELA) February 11, 2021
Speaking to IGN, Victoria Kivilevich, a threat intelligence analyst at KELA explained that it appears all of the files stolen – which apparently include source code for Cyberpunk 2077, multiple versions of The Witcher 3, and Gwent – were sold in a single package. It’s unclear who the buyer is, or what they intend to do with the files at time of writing.
It’s also unclear what price the files were sold for, but reports yesterday indicated an upfront purchase price of $7 million. Kivilevich provided IGN with a translated screenshot of the forum, dated February 10, in which the seller said CD Projekt should pay the ‘blitz (upfront purchase fee) because of sensitive data contained in the files. Of course, right now, we can’t verify whether that is true. CD Projekt publicly said that it would not pay the ransom.
In a report aided by KELA yesterday, The Verge explained that the auction required a deposit to enter (intended to show potential buyers that this wasn’t a scam auction), with bids starting at $1,000,000, moving up in $500,000 increments. Vx-underground also reported that source code (or at least fragments of source code) for Gwent had been released, which could have been another showing of proof that the files were in hand before the auction.
While still unconfirmed, multiple cybersecurity experts have pointed to the ransomware attack coming from a group called HelloKitty, based on the title and contents of the ransom note posted by CD Projekt following the hack.
The amount of people that are thinking this was done by a disgruntled gamer is laughable. Judging by the ransom note that was shared, this was done by a ransomware group we track as “HelloKitty”. This has nothing to do with disgruntled gamers and is just your average ransomware. https://t.co/RYJOxWc5mZ
— Fabian Wosar (@fwosar) February 9, 2021