Earlier this week, CD Projekt Red announced that hackers had infiltrated its networks and made off with various internal documents and game source code, which the culprits threatened to release to the public unless a ransom was paid. Instead, the studio went public, vowing that it “will not give in to the demands nor negotiate” with the thieves, despite acknowledging “that this may eventually lead to the release of the compromised data.”
Sure enough, that now appears to be happening. CyberNews, “a research-based online publication” that focuses on digital security, says the source code for CD Projekt’s card game Gwent was posted to a hacking website on February 10 under the heading “CDProject Leak #1.” Links to the leaked information on sites including Mega.nz and 4chan are now inactive, but the site was able to get a copy of the archive and said that the metadata indicates that it was taken on February 6, two days before CD Projekt Red “became aware” of the attack.
The title of the archive obviously suggests that there’s more to come, and so does a readme file found inside, which warned that a second leak would occur the following day—which is now today.
CD Projekt Red said that the hackers were also able to encrypt some devices on its network, although it was able to secure its IT infrastructure shortly after the attack and had begun restoring the locked data from backups. The CyberNews report says the author of the forum post linking to the leaked data has previously written about the open-source ransomware Cobalt Strike as well as other topics indicating that they have the skills and tools required to pull off a successful ransomware attack, and cybersecurity expert Luca Mella told the site that he believes the perpetrator is related to the ransomware group HelloKitty, echoing thoughts expressed shortly after the hack by Emisoft chief technology officer Fabian Wosar.
The amount of people that are thinking this was done by a disgruntled gamer is laughable. Judging by the ransom note that was shared, this was done by a ransomware group we track as “HelloKitty”. This has nothing to do with disgruntled gamers and is just your average ransomware. https://t.co/RYJOxWc5mZFebruary 9, 2021
“This could mean the group is quite new and potentially growing fast after the compromise of such a high value victim,” Mella said. “Many other younger affiliate may join their operations after this. CD Projekt is really popular and widely discussed among underground and gaming communities.”
While known links to the leaked data have been disabled, Mella added that the archive has already been downloaded by many others, some of whom are now trying to extort their own payments. One “threat actor” who is not the author of the forum post disclosing the first leak said the source codes for The Witcher 3: Wild Hunt, Thronebreaker, and Cyberpunk 2077 would be released today, February 11. Instead of a leak to online archives, however, this information will apparently be auctioned off—anyone who wishes to get in on the action will, according to the post, have to make a deposit of 0.1 Bitcoin, which at the moment works out to about $4,800.
I’ve reached out to CD Projekt for comment on the report, and will update if I receive a reply.