CD Projekt Red gets ransomed, auction fails to attract attention
posted Saturday Feb 13, 2021 by Scott Ertz
We have said many times that malware, including ransomware, can affect anyone, so everyone should be vigilant. Late last year, SolarWinds was hacked. This company makes network management software, and yet they were hit. Last month, malware detection company Malwarebytes was hit by the same group. The latest high-profile company to fall victim to malware is CD Projekt Red, the publisher for Cyberpunk 2077.
The company, which has had a rough 12 months, announced they had been hit by ransomware. The hackers claimed to have source code for several of the company's popular titles, including Cyberpunk 2077 and The Witcher 3, and the code would be released in some manner if the company didn't pay up. The company's official position was,
We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data.
This stand was possible in part because the data that was lost did not contain customer data, only their own. Presumably, the company would have responded differently if the hackers had information about you. The company was also likely hoping that the hackers were bluffing - either not having all of the data they claimed or not going through with the sale after the deadline. This week, that might have gone awry.
According to VX Underground, the code was posted on a dark web auction site. Security firm KELA confirmed the authenticity of the code, and told The Verge about the rules of the auction. It cost just shy of $5000 to participate, and had a $500k bid raise and a $7 million "buy it now" option. As of Thursday, the auction was listed as closed successfully, with a note saying,
An offer was received outside the forum that satisfied us.
Presumably, the note wants us to believe that someone offered a large sum well over the $1 million going price, but below the BIN price. However, because of the slow movement of the auction, there is another theory - no one actually bid on the auction and the closure was an attempt to save face following a spectacular failure. Emisoft analyst, Brett Callow, said in a blog post,
There is another possible scenario that we think is more likely: no buyer exists and the closure of the auction is simply a means for the criminals to save face after failing to monetize the attack following CD Projekt's refusal to pay the ransom. We have seen this behavior in the past with REvil, a ransomware group that threatened to release damaging information about Donald Trump. Although the hacked law firm refused to pay to prevent the leak, the information was never published-the attackers just claimed to have sold it.
For ransomware attacks to continue to be successful, the threat has to be credible, and if the threat in this case was a failure, it could affect future attempts. However, it is good to see that this one, in particular, was a failure.