Bryson Medlock

Bryson Medlock
on February 12, 2021

Good news, everyone! (Ok, maybe not everyone)

Good news, everyone! (Ok, maybe not everyone)

There’s been some oddly good news over the past week, with the takedown of another threat actor and the release of decryption keys from another group with a conscience.

Not everyone is smelling roses, though, as CD Projekt Red has had a pretty rough week.

Check it out.

Yet another takedown

January gave us good news with the takedown of Emotet, the world’s largest botnet as a service, and the Netwalker ransomware group. February seems to be continuing the theme with the end of a couple of bad actors already.

On February 4, Ukraine’s Cyber Police announced that, with the aid of law enforcement agencies in the US and Australia, they had shut down the world’s largest phishing services and arrested the individual responsible for the uPanel phishing kit.

According to Australian law enforcement, uPanel was responsible for 50% of all phishing attacks targeting Australian users in 2019 and is responsible for tens of millions of US dollars in losses for financial institutions in Australia, Spain, Italy, Chile, the Netherlands, Mexico, France, Switzerland, Germany, the US, and the UK.

The actor behind the campaigns was revealed as a 39-year-old resident of the Ternopil region. According to the analysis, the actor developed a phishing package and also crafted an administrative panel on it, which was later sold online to other threat actors. The admin panel could allow attackers to control the accounts of users who registered on compromised assets and entered their payment data. The actor also developed phishing resources to target email services, which were used by more than 1.5 billion users.

Law enforcement officers conducted authorized searches in the Ternopil region. As a result, the computer equipment, mobile phones, and hard drives were confiscated, and more than 200 active buyers of malicious software were identified. Due to the actor’s illegal activities, the actor could face up to six years of imprisonment.

More bad guys give up

Last week, we reported that the Fonix ransomware group gave up on their life of crime. This week, we see another ransomware group leaving the dark side behind. The actors behind the Ziggy ransomware announced on February 7, 2021, via Telegram that they were shutting down and released all of their decryption keys.

Just like the Fonix operators, the Ziggy group expressed remorse over their activity, saying, “We are very sad about what we did,” and attributed their criminal activities to their dire financial situation, claiming to live in a “third-world country.” The Ziggy admin claims to be friends with the Fonix ransomware group is from the same country.

The Ziggy group has released a SQL file containing 922 decryption keys for their victims, with three keys needed for each victim to decrypt their files. They also posted a decryption tool on Virustotal, though we recommend using decryption tools made by legitimate security companies, such as the one released by Emsisoft, rather than trusting code released by known bad guys.

Some are attributing the recent trend of ransomware operators giving up to growing concern in the underground malware industry caused by the Emotet and Netwalker takedowns. We can only hope this trend continues.

A bad week for CD Projekt Red

Cyberpunk 2077, by game studio CD Projekt Red (CDPR), was one of the most eagerly anticipated video games for eight years before its release. It was first announced in May 2012, with subsequent trailers released in 2013, 2018, and 2019. It won over one hundred awards at the E3 conference in 2018, still two years away from being released.

Finally, at E3 in 2019, they announced a release date of April 16 September 17 November 19 December 10, 2020. Once Cyberpunk 2077 was finally released, it became evident that perhaps another delay should have been in order. The game was released full of bugs, to the point it was unplayable on most consoles, and even though it was more stable on PC, you risked your save file becoming corrupted beyond repair. This led to more controversy, as CDPR promised a refund to any who requested it but failed to clear this policy with Sony, who then responded by removing the game from the PlayStation Store.

The release controversy was mostly forgotten by the time 2021 rolled around, but Cyberpunk 2077 and CDPR are back in the news this week. On February 2, 2021, they issued a warning from their Twitter account that users should avoid using “mod/custom saves on PC.” They disclosed that they had been “made aware of a vulnerability in external DLL files the game uses which can be used to execute code on PCs.” Details of the vulnerability were posted by PixelRick to their GitHub. CDPR promptly released a patch, so be sure you update your version.

A week after disclosing the vulnerability above, CDPR revealed on Twitter that they were targeted by ransomware. According to their Twitter post, an unknown bad actor was able to gain access to their systems, encrypted their files, and left a note claiming to have copies of the full source code for Cyberpunk 2077, as well as Witcher 3, Gwent, and an unreleased version of Witcher 3. The ransom note also claims to have copies of “all of your documents relating to accounting, administration, legal, HR, investing relations, and more!”

CDPR said they would not give in to the ransomware demands in their Twitter post and have already begun restoring systems. The investigation is still underway, and details are scarce. Many disgruntled gamers have speculated that this was a targeted attack due to the Cyberpunk 2077 release controversy, or even that this is a false flag posted by CDPR to distract from earlier controversies and to give them time to delay future releases, but security researchers have pointed out that this looks like normal ransomware operations.

The note left by the ransomware looks like those previously used by a group known as “HelloKitty,” named after a mutex in the ransomware executable named “HelloKittyMutex.” HelloKitty began operations in November 2020 and has targeted other large companies in the past, such as the Brazilian power company CEMIG in late 2020. So far, CDPR hasn’t released any information regarding the size of the requested ransom, and they’ve assured users that their personal data wasn’t stolen.

Yesterday, several Twitter posts reported that the auction is closed, and the data stolen from CDPR has been sold. According to the darknet forum where the auction was taking place, “An offer was received outside the forum that satisfied us. With the conditions of further non-distribution.”

Perch recommends following CDPR’s example and not giving in to ransom demands. The only way to truly put an end to ransomware attacks is if they stop being profitable. Though we have seen the end to several malware and ransomware groups in 2021, the ransomware business is still booming, and we expect it to continue to rise as long as it is profitable. Don’t give in; it stops being profitable, and we can move on from the ransomware craze to new threats.

That’s all for this week.

  • Bryson, The Dungeon Master

References


We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Ransomware operators leave the dark side

Share this on:

Bryson Medlock

Bryson Medlock
on February 12, 2021


Perchy Subscribe to our blog