The ALPHV ransomware operation, also known as BlackCat, has shared screenshots of internal emails and video conferences seized from Western Digital, revealing that they likely continued to have access to the firm's systems even while the company responded to the incident.
The release comes after the threat actor informed Western Digital on April 17th that if a ransom was not paid, they would harm them until they "could not stand anymore."
Western Digital was the victim of a cyberattack on March 26th, in which threat actors infiltrated its internal network and stole company data. However, no ransomware was installed, and no files were encrypted.
In response, the company suspended its cloud services, including My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi, and SanDisk Ixpand Wireless Charger, as well as related mobile, desktop, and online apps, for two weeks.
According to TechCrunch, an "unnamed" hacking group accessed Western Digital and claimed to have stolen ten terabytes of data. The threat actor allegedly shared examples of the stolen data with TechCrunch, including files signed with stolen Western Digital code-signing keys, unlisted corporate phone numbers, and images of other internal data.
In addition, the hackers claimed to have stolen data from the company's SAP Backoffice implementation. While the hacker claimed to be unrelated to the ALPHV ransomware operation, a message soon surfaced on the gang's data leak site, alerting that Western Digital's data would be spilled if a ransom was not paid.
Western Digital is mocked by ALPHV. Security researcher Dominic Alvieri informed BleepingComputer that the hackers revealed twenty-nine screenshots of emails, documents, and video conferences connected to Western Digital's response to the attack in an additional attempt to humiliate and disgrace the corporation.
When an organization is compromised, one of the first measures is to figure out how the threat actor obtained access to the network and block the path. However, there can be a delay between identification and response, enabling the adversary's access to continue even after an attack is detected. This access permits them to watch the company's response and steal additional data.
The threat actors appear to have sustained access to parts of Western Digital's systems in the screenshots supplied by ALPHV since they show video conferences and emails concerning the attack. The "media holding statement" is depicted in one image, and an email regarding staff leaking information about the attack to the press is depicted in another.
Another message from the threat actors is included with the exposed material, claiming to have customers' personal information as well as a comprehensive backup of WD's SAP Backoffice implementation.
While the data appears to be Western Digital's, BleepingComputer was unable to independently confirm its source or whether it was stolen during the attack. Western Digital is not currently negotiating a ransom to halt the publication of stolen data, which has prompted fresh threats from hackers.
"We know you have the link to our onion site. Approach with payment prepared, or [redacted] off. Brace yourselves for the gradual fallout," reads ALPHV's new warning to Western Digital.
Western Digital declined to comment on the stolen screenshots and threat actors' assertions.
