CD PROJEKT RED, the Polish developer of games like Cyberpunk 2077 and The Witcher 3, has stated that it suffered a ransomware attack. The company claims that “certain data belonging to CD PROJECT capital group” was stolen. The company informed that the attackers were able to breach the internal network and managed to steal data from non-encrypted devices. The attackers encrypted the infected devices after stealing the data.
The attackers have left a ransom note, which the company has made public.
Our research team also found a threat actor (TA) leaking data from CD PROJEKT. The data is said to be the source code of a game owned by CD PROJEKT.
It has been reported that the attack was conducted by the ransomware group called ‘HelloKitty.’ Emsisoft’s security researcher, Fabian Wosar (@fwosar), informed in a tweet that ”the amount of people that are thinking this was done by a disgruntled gamer is laughable. Judging by the ransom note that was shared, this was done by a ransomware group we track as HelloKitty.”
The HelloKitty ransom group is not particularly active, and there is limited information available about the ransomware. This ransomware is named after a mutex called ‘HelloKittyMutex’ which was used in the malware.
Technical Information:
The HelloKitty ransomware has been active since November 2020. Since then, it has targeted numerous companies, including the Brazilian power company CEMIG last year. Hellokitty carries out targeted attacks, and most of them receive custom ransom notes from the threat actor group.
Once launched, HelloKitty will repeatedly run taskkill.exe to terminate processes associated with security software, email servers, database servers, backup software, and accounting software. In total, HelloKitty targets over 1,400 processes and Windows services. After it has shut down the various targeted processes and services., HelloKitty starts the encryption process.
Using the command specified below, the ransomware uses CMD.exe to carry out command-line operations and delete the malicious executable:
C:\Windows\System32\cmd.exe” /C ping 127.0.0.1 & del ag.exe
The HelloKitty ransomware also checks if it is being debugged using the function IsDebuggerPresent imported from Kernel32.dll.
The ransomware deletes shadow copies of files using the following commands:
select * from Win32_ShadowCopy
Win32_ShadowCopy.ID=’%s’
The HelloKitty ransomware creates a mutex that is used to avoid infecting the system more than once and coordinating communications among its multiple components on the host.
On analyzing the strings from the malware executable file, we found that the ransom note and a link to “.onion” website were also mentioned. The message blow is the Ransom note by HelloKitty Ransomware
Below are the contents of the ransom note.
Hello dear user.
Your files have been encrypted.
— What does it mean?!
Content of your files have been modified. Without special key you can’t undo that operation.
— How to get special key?
If you want to get it, you must pay us some money and we will help you.
We will give you special decryption program and instructions.
— Ok, how i can pay you?
1) Download TOR browser, if you don’t know how to do it you can google it.
2) Open this website in tor browser: %s/%S
3) Follow instructions in chat.
http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion
When encrypting files, the ransomware appends the .crypted extension to an encrypted file’s name. In the case of HelloKitty, the ransomware also drops a ransom note inside all the folders with encrypted files.
Indicators of Compromise (IOCs):
|
SHA-256 |
|
fa722d0667418d68c4935e1461010a8f730f02fa1f595ee68bd0768fd5d1f8bb 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0 c7d6719bbfb5baaadda498bf5ef49a3ada1d795b9ae4709074b0e3976968741e 56978ab3cb8172239da8742ebe41ef099bb9e1b58e23956a82bf495d7cc94c00 a6067ecff5c441c2e9654abfe928ae5a81b57e19f3a80ac945a7780f92b39ff3 613f9fb99d927e02ba4d7b7122df577fe775e2e56d7ddce5636fd810fc1392ad a63879a8f90286ca0ba54b446f94dd2e51da549dc4ebd91cb67018e910436280 78afe88dbfa9f7794037432db3975fa057eae3e4dc0f39bf19f2f04fa6e5c07c 02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851 38d9a71dc7b3c257e4bd0a536067ff91a500a49ece7036f9594b042dd0409339 9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0 |
MITRE ATT&CK Matrix:
|
Execution |
Persistence |
Defense Evasion |
Discovery |
Impact
|
|
Command-Line Interface |
Modify Existing Services |
File Deletion Registry Modification Anti-Debug |
Remote System Discovery |
Data Encrypted for Impact |
Security Recommendations:
- Ensure anti-virus software and associated files are up to date.
- Search for existing signs of the indicated IOCs in your environment.
- Keep applications and operating systems running at the current released patch level.
- Exercise caution while opening untrusted attachments and links in emails.
- Keep systems fully patched to effectively mitigate vulnerabilities.
About Cyble
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.