We recently discovered that CD Projekt Red, maker of Cyberpunk 2077 and the Witcher titles, had its source code for ‘GWENT’ leaked on a popular hacking forum on February 10. The post titled “CDProject Leak #1” indicates that there will be another leak tomorrow, in what appears to be a double extortion ransomware tactic.
All links to the leaked database are now inactive.
GWENT is a popular card game for The Witcher. The card game appeared in Andrzej Sapkowski’s The Witcher novels and became playable in CD Projekt Red’s The Witcher 3: Wild Hunt video game.
The leak for GWENT most likely originated from the recent CD Projekt Red breach on February 9. The cyber attacker gained access to source codes to Cyberpunk 2077, Witcher 3, card game Gwent and an as yet unreleased version of Witcher 3, CD Projekt said. The company made assurances that there was no evidence that customer data had been stolen during the process.
The company also remained adamant that they would not pay the ransom. The attackers reportedly gave them 48 hours to pay. “Based on the company response timing,” ransomware expert Luca Mella told CyberNews, “it is possible that the attack was carried out on the weekend, so the 48 hours are already expired, and this is why the data started to circulate.”
It is possible that the leak originated from one of the post authors as their posts on the hacking forum are consistent with the activity of a person who works with or is familiar with ransomware. However, this does not mean the person is necessarily a ransomware operator, rather that it is just consistent.
The GWENT leak
On February 10 a link to the CDProject Leak #1 archive on Mega.NZ was posted but soon made inactive. However, we found and downloaded a copy from another forum, and it seems the leak was shared on 4chan as well.
Below, you can see the game source files in the archive:
This CDProject Leak #1 archive was labelled as the first of the leaks and included a readme file claiming that the next part of the leak will appear a day later. From the metadata it seems that the hack and specifically the exfiltration of data or data transfer to a different storage happened on 2021-02-06 00:07 GMT.
The post author has previously posted on the hacking forum on topics detailing Cobalt Strike, open-source ransomware source code, and various tutorials and links about exploits, privilege escalation and cryptography. This would be consistent with the knowledge, tools and skills required to launch a ransomware attack.
Cobalt Strike is one of the most common post-exploitation tools to perform ransomware attacks after the initial breach. Cobalt Strike has beacons that create a consistent tunnel between the target and an attacker to deliver payloads, making it possible to exfiltrate the data and deliver a payload (Cryptolocker) to encrypt the data.
It is most likely that the first part of leaks originated from HelloKitty ransomware operator’s recent attack on CDProjekt Red, during which their files were stolen and encrypted.
Mella agrees. “Based on the ransom note file name and Emsisoft intelligence KB the actor seems related to a ransomware group named HelloKitty,” he told CyberNews. “This could mean the group is quite new and potentially growing fast after the compromise of such a high value victim. Many other younger affiliate may join their operations after this. CD Projekt is really popular and widely discussed among underground and gaming communities.”
He’s also seen that the leak is spreading on other forums. “I’m noticing the stolen data have been downloaded by many actors and some of them are trying to selling and disclose part of them on other places too.”
Another threat actor (not the post author) has claimed that on February 11 there will be a leak of the source codes for Witcher 3, Thronebreaker, Witcher 3 RTX, and Cyberpunk 2077, among other files. They further claim in a private forum that an auction will be held at 1pm Moscow time, and that a deposit of 0.1 BTC (about $4,500 at time of writing) will be needed to participate. However, this has not been confirmed:
We’ve received information of the type of data being included in the full sale of CD Projekt Red’s stolen database. This seems to be their proprietary Red Engine, a game engine that was specifically developed for The Witcher.
This is a developing story. We will continue to assess the situation as more information comes to light. We have attempted to contact CD Projekt Red but have not received a reply by the time of publishing.
More great stories from CyberNews:
- We uncovered a Facebook phishing campaign that tricked nearly 500,000 users in two weeks
- The Oldsmar water treatment facility hack was entirely avoidable – and it can happen again
- Get in front of the next data leak. Use the CyberNews data leak checker with more than 15 billion breached accounts
- Subscribe to our monthly newsletter