Parilov - stock.adobe.com

HelloKitty almost certainly behind CD Projekt ransomware attack

Theories that the cyber attack on a high-profile gaming studio was orchestrated by players who are disappointed in a videogame are likely wide of the mark, according to analysis

A ransomware gang going by the moniker HelloKitty is likely responsible for a high-profile cyber attack on Poland-based video game studio CD Projekt, which was disclosed on 9 February 2021 and has seen key systems encrypted and source code for a number of its titles stolen.

Some commentators had linked the attack to a disgruntled gamer – problems with the studio’s recently-released Cyberpunk 2077 title have garnered a slew of negative reviews – but according to Emsisoft’s CTO Fabian Wosar, the customised note shared by CD Projekt indicated the culprit was almost certainly HelloKitty.

Wosar said that the appeal of the narrative that the attack was perpetrated by angry gamers was clear, but that reality was “much more boring than that”.

HelloKitty is not a particularly well-known or frequently deployed strain of ransomware – Wosar described it as distinctly “average” – and its most high-profile victim thus far is CEMIG, a Brazilian energy provider.

Much remains to be discovered about HelloKitty compared to higher-profile ransomwares, although a sample analysed by Bleeping Computer sheds some light on its inner workings.

Synopsys managing security consultant Adam Brown added further weight to Emsisoft’s judgment that the CD Projekt incident is merely a run-of-the-mill ransomware hit, because there was little for any angry gamer to gain by obtaining the studio’s source code.

“The reality is that use of that leaked code is protected by licensing law, so another company can’t just take it and use it, or even snippets of it. As for the pirates, they would need jailbroken platforms to be able to release anything and at the moment the specs are so high for Cyberpunk, those jailbreaks are unlikely to be available in the short to mid-term,” he said.

“Of course, IP [intellectual property] is important, but it’s not like any rights to that IP have been lost – the most valuable assets to this company are its people,” he added.

Meanwhile, CD Projekt has been praised for its transparent disclosure and its refusal to engage in any negotiations with the gang behind the attack, as it is instead following best practice by restoring from secured backups.

Candid Wuest, vice-president of cyber protection research at Acronis, said: “I’d say their response was transparent, quick, but not extraordinary – this is what’s expected from any company. Sharing more info, like IOCs [Indicators of Compromise] would be helpful, but recovery takes precedence.

“However, I commend how they made it clear no ransom will be paid and no personal data of their users was compromised,” she said.

Calvin Gan, senior manager of F-Secure’s Tactical Defence Unit, commented: Transparency is key in demotivating attackers from having an upper hand in the negotiation process since the public already knows about the breach and is expecting further updates.

“CD Projeckt indicated they are already in the process of restoring from backups. That is a good sign where they probably have routinely tested their backup and is something organisations should also practice doing,” he added.

“While it is a sad situation where large organisations such as this are being compromised, on the bright side, CD Projekt’s stance of not negotiating with the attacker is commendable. This perhaps would set an example to others to not give in, which may hamper the attackers’ operation further,” added Gan.

CD Projekt has yet to comment further on the incident and has not released any further details of its investigation.

Read about more recent ransomware attacks

Read more on Hackers and cybercrime prevention