Hacker Sets Alleged Auction for Witcher 3 Source Code

The ransomware gang behind an attack on videogame developer CD Projekt Purple may perhaps have created very good on its promise to auction off the company’s details – like supply code for Cyberpunk 2077 and an unreleased model of the Witcher 3.

Or it may perhaps not have.

The Twitter account @vxunderground, which payments alone as “the greatest collection of malware resource code, samples and papers on the internet,” set out a notice on Wednesday that the purported stolen data was becoming set up for sale on the effectively-identified Russian-language underground discussion board “Exploit,” and it supplied alleged screenshots.

“This is the resource code to ‘Gwent’ card video game,” according to the tweets. “Witcher 3, CyberPunk 2077, etc. is remaining auctioned nowadays on EXPLOIT forums…The ransomware authors mentioned they will not be auctioning knowledge anywhere else – any other site other than EXPLOIT is fake.”

@vxunderground also stated that the data experienced a starting bid of $1 million, but they total cache could be acquired outright for $7 million.

When questioned to independently confirm the assert, Austin Merritt, cyber-threat intelligence analyst at Electronic Shadows, told Threatpost that the auction putting up did in fact exist. An Exploit user named “redengine” established a thread in the auctions portion of the web page, entitled “Auction date for CD Projekt RED” when translated from the Russian.

“The person claimed to have complete supply codes for many online games such as Thronebreaker, Cyberpunk 2077, Witcher 3 and the undeclared Witcher 3 RTX (a variation of Witcher with raytracing),” Merritt explained. “The user also claimed to have dumps of inside documents and documents linked to CD Projekt Crimson ‘offenses.’”

As for price tag and timing, Merritt reported that the poster established the auction to get started Thursday, Feb. 11 at 13:00 Moscow time (5 a.m. ET), and that bidders would be essential to make a .1 BTC deposit (all over $44,900 at press time) to enter.

“The consumer begun the auction at $1 million, however, customers have not still expressed any interest in buying this facts,” Merritt informed Threatpost. “At the time of producing, there have been 6 replies to the primary publish. Buyers that have replied have largely questioned the legitimacy of the article, alleging that consumer ‘redengine’ does not have an proven reputation on the forum.”

Consequently, it’s unclear if what the person is supplying is legitimate, or if the posting is from an opportunist making an attempt to consider gain of the buzz all-around the stolen knowledge that percolated up this 7 days in media accounts.

Merritt gave Threatpost a screenshot of the alleged Gwent information files:

CD Projekt Red has not responded to a request for remark or verification.

CD Projekt Crimson Ransomware Strike

The Warsaw-primarily based videogame corporation tweeted out a observe on Tuesday, warning of “a specific cyberattack in which some of our methods have grow to be compromised.”

The attackers – considered to be section of the “Hello Kitty” ransomware gang, as Threatpost formerly documented — acknowledged that the ransomware itself would probable not be a dilemma for the corporation, which had backups in area to immediately remediate the attack. Far more concerningly, the attackers threated to dump troves of stolen business data on line – together with recreation resource code.

“We have encrypted all of your servers, but we realize that you can most probably recuperate from backups,” according to the ransom take note shared by CD Projekt Red. Nevertheless, “source codes will be offered or leaked on the web, and your paperwork will be sent to our contacts in gaming journalism.”

It went on to say that not paying up would have an affect on the company’s general public image, inventory rate and trader confidence (CD Projekt Purple is traded in above-the-counter markets). The attackers also claimed that the information will expose how terribly the corporation is operate.

Launch of the resource code would let lovers to build activity hacks and conduct all types of “modding” (i.e., improvement of custom made features) and jailbreaks and would be a present to opponents.

Threatpost WEBINAR: Is your compact- to medium-sized business enterprise an effortless mark for attackers? Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals rely on you generating these problems, but our authorities will assist you lock down your little- to mid-sized small business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.