Ransomware operation ALPHV, aka BlackCat, released screenshots of internal emails and video conferences stolen from Western Digital, indicating they likely had continued access to company systems even as the company was responding to the breach.
The leak comes after the threat actor warned Western Digital on April 17 that he would hurt them until they “can’t take it anymore” if a ransom wasn’t paid.
A cyberattack in March
On March 26, Western Digital suffered a cyberattack where threat actors breached its internal network and stole company data. However, no ransomware was deployed and the files were not encrypted.
In response, the company shut down its cloud services for two weeks, including My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi and SanDisk Ixpand Wireless Charger, plus related mobile, desktop and web apps.
TechCrunch reported for the first time that an “unnamed” hacking group hacked into Western Digital, claiming to have stolen ten terabytes of data.
The threat actor allegedly shared samples of stolen data with TechCrunch, which included files signed with stolen Western Digital code-signing keys, unlisted company phone numbers and screenshots of other internal data.
The hackers also claimed to have stolen data from the company’s SAP Backoffice implementation.
While the intruder claimed not to be affiliated with the ALPHV ransomware operation, a a message quickly appeared on the gang’s data leak sitewarning that Western Digital’s data would be leaked if they did not negotiate a ransom.
ALPHV mocks Western Digital
In yet another attempt to taunt and embarrass Western Digital, security researcher Dominique Alvieri told BleepingComputer that the hackers posted twenty-nine screenshots of emails, documents and video conference calls related to the company’s response to the attack.
When a company discovers that it has been hacked, one of the first countermeasures is to find out how the threat actor gained access to the network and block the path.
However, sometimes there is a gap between detection and response, allowing adversary access to persist even after an attack is detected. This access allows them to monitor the company’s response as well as steal more data.
Based on screenshots leaked by ALPHV, the threat actors imply they had continued access to some of Western Digital’s systems as they showed video calls and emails about the attack.
One image includes the “media detention statement” and another is an email about employees leaking information about the attack to the press.
The leaked data is accompanied by another message from the threat actors, in which they claim to have customers’ personal information and a full backup of WD’s SAP Backofffice implementation.
Although the data appears to belong to Western Digital, BleepingComputer could not independently verify its source or whether it was stolen in the attack.
Currently, Western Digital does not negotiate a ransom to prevent the leakage of stolen data, which has triggered new threats from hackers.
“We know you have the link to our onion site. Approach with payment prepared, or [redacted] disabled. Prepare for the gradual fallout,” reads ALPHV’s new warning to Western Digital.
Western Digital declined to comment on leaked screenshots and threat actor claims.