At the end of April, threat actors known as Babuk indicated that they were closing up shop and switching to a different model:
Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement.
Also for other groups that do not have their own blog or have but they want to exert additional pressure, you can not be placed with us.
Two weeks later, they wrote:
Hello! We announce the development of something really cool, a huge platform for independent leaks, we have no rules and bosses, we will publish private products in a single information platform where we will post leaks of successful no-name teams that do not have their own blogs and names, these are not girls who run with ship like rats and change the policy of their resources. these are really strong guys.
Another loud leak awaits you within a week.
Today, we began to see the changes as the site is now called Payload Bin.
The About and Rules pages are not available yet and so far there is only one leak listed under Announcements: CD Projekt. CD Projekt was attacked in February by attackers using what is believed to be the Hello Kitty ransomware. The hackers had put the stolen source code up for sale on a Russian-language forum, listing it all as:
- Full sources for the games Thronebreaker , Witcher 3 , the undeclared Witcher 3 RTX (the version of the Witcher with raytracing) and of course Cyberpunk 2077
- Dumps of internal documents
- CD Projekt RED offenses .
They subsequently withdrew the auction listing, claiming that they had received a satisfactory offer from outside of the forum, and that because of a condition of no further distribution, they were removing the listing from auction.
Now Payload Bin says they will make all source code available on its site. So what, exactly, happened to that sale with “no further distribution?”
