11 February 2021

Alleged stolen Cyberpunk 2077, The Witcher source code put up for auction


Alleged stolen Cyberpunk 2077, The Witcher source code put up for auction

Threat actors behind the recent ransomware attack against CD Project Red are reportedly auctioning the alleged source code for Cyberpunk 2077 and The Witcher 3 on the Russian-language underground forum “Exploit.”

On Tuesday, the video game maker CD Project Red disclosed a ransomware attack on its internal systems. The company shared a ransomware note left by the attackers, who claim to have stolen full copies of the source codes from a Perforce server for Cyberpunk 2077, The Witcher 3, Gwent, and the unreleased version of The Witcher 3. At the time, CD Project Red stated that it will not negotiate with the attackers.

According to the Twitter account @vxunderground, the hackers put on sale the source code for ‘Gwent’ card game,” as well as The Witcher 3 and CyberPunk 2077.

“This is the source code to ‘Gwent’ card game… Witcher 3, CyberPunk 2077, etc. is being auctioned today on EXPLOIT forums…The ransomware authors said they will not be auctioning data anywhere else – any other location other than EXPLOIT is fake,” according to the tweets.

The offered information allegedly includes stolen internal documents, 'CD Projekt offenses,' and the source code for Cyberpunk 2077, Witcher 3, Thronebreaker, and an unreleased Witcher 3 version with raytracing.

@vxunderground also said that the starting bid for the data is set at $1 million, but could be bought outright for $7 million. To participate in the auction bidders must have a deposit on the forum of 0.1 BTC.

According to security researchers, the ransomware attack against CD Project Red may have been the work of a ransomware group tracked as HelloKitty, which has been active from November 2020. The HelloKitty malware disables various processes and services before encrypting files on a victim’s device. While not particularly active, HelloKitty is believed to be behind past attacks against other large organizations, including Brazilian energy firm CEMIG in December last year.

Back to the list

Latest Posts

Researchers discover connection between SunCrypt and QNAPCrypt ransomware

Researchers discover connection between SunCrypt and QNAPCrypt ransomware

SunCrypt may be an updated version of the QNAPCrypt ransomware.
4 March 2021
Cybersecurity firm Qualys appears to be the latest victim of Accellion FTA zero-day attacks

Cybersecurity firm Qualys appears to be the latest victim of Accellion FTA zero-day attacks

The cybercriminals behind the Clop ransomware operation have posted screenshots of files allegedly stolen from Qualys on their leak site.
4 March 2021
CISA orders federal agencies to ‘immediately’ patch Exchange flaws exploited by hackers

CISA orders federal agencies to ‘immediately’ patch Exchange flaws exploited by hackers

Several APT groups are exploiting "at least" the CVE-2021-26855 Microsoft Exchange Server vulnerability as part of ongoing attacks, ESET says.
4 March 2021