CD PROJEKT RED, the Polish developer of games like Cyberpunk 2077 and The Witcher 3, has stated that it suffered a ransomware attack. The company claims that “certain data belonging to CD PROJECT capital group” was stolen. The company informed that the attackers were able to breach the internal network and managed to steal data from non-encrypted devices. The attackers encrypted the infected devices after stealing the data.
The attackers have left a ransom note, which the company has made public.
Our research team also found a threat actor (TA) leaking data from CD PROJEKT. The data is said to be the source code of a game owned by CD PROJEKT.
It has been reported that the attack was conducted by the ransomware group called ‘HelloKitty.’ Emsisoft’s security researcher, Fabian Wosar (@fwosar), informed in a tweet that ”the amount of people that are thinking this was done by a disgruntled gamer is laughable. Judging by the ransom note that was shared, this was done by a ransomware group we track as HelloKitty.”
The HelloKitty ransom group is not particularly active, and there is limited information available about the ransomware. This ransomware is named after a mutex called ‘HelloKittyMutex’ which was used in the malware.
The HelloKitty ransomware has been active since November 2020. Since then, it has targeted numerous companies, including the Brazilian power company CEMIG last year. Hellokitty carries out targeted attacks, and most of them receive custom ransom notes from the threat actor group.
Once launched, HelloKitty will repeatedly run taskkill.exe to terminate processes associated with security software, email servers, database servers, backup software, and accounting software. In total, HelloKitty targets over 1,400 processes and Windows services. After it has shut down the various targeted processes and services., HelloKitty starts the encryption process.
Using the command specified below, the ransomware uses CMD.exe to carry out command-line operations and delete the malicious executable:
C:\Windows\System32\cmd.exe” /C ping 127.0.0.1 & del ag.exe
The HelloKitty ransomware also checks if it is being debugged using the function IsDebuggerPresent imported from Kernel32.dll.
The ransomware deletes shadow copies of files using the following commands:
select * from Win32_ShadowCopy
The HelloKitty ransomware creates a mutex that is used to avoid infecting the system more than once and coordinating communications among its multiple components on the host.
On analyzing the strings from the malware executable file, we found that the ransom note and a link to “.onion” website were also mentioned. The message blow is the Ransom note by HelloKitty Ransomware
Below are the contents of the ransom note.
Hello dear user.
Your files have been encrypted.
— What does it mean?!
Content of your files have been modified. Without special key you can’t undo that operation.
— How to get special key?
If you want to get it, you must pay us some money and we will help you.
We will give you special decryption program and instructions.
— Ok, how i can pay you?
1) Download TOR browser, if you don’t know how to do it you can google it.
2) Open this website in tor browser: %s/%S
3) Follow instructions in chat.
When encrypting files, the ransomware appends the .crypted extension to an encrypted file’s name. In the case of HelloKitty, the ransomware also drops a ransom note inside all the folders with encrypted files.
Indicators of Compromise (IOCs):
MITRE ATT&CK Matrix:
Modify Existing Services
Remote System Discovery
Data Encrypted for Impact
- Ensure anti-virus software and associated files are up to date.
- Search for existing signs of the indicated IOCs in your environment.
- Keep applications and operating systems running at the current released patch level.
- Exercise caution while opening untrusted attachments and links in emails.
- Keep systems fully patched to effectively mitigate vulnerabilities.
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.