The operators of the ransomware BlackCat (aka ALPHV) have published screenshots of Western Digital’s internal emails and video conferences, suggesting they maintained access to the company’s systems even after Western Digital discovered and responded to the attack.
Western Digital was hacked at the end of March 2023. The attackers compromised the internal network and stole the company’s data, but no ransomware was deployed on the Western Digital network and the files were not encrypted.
As a result of this attack, the company’s cloud services, including Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi and SanDisk Ixpand Wireless Charger, as well as related mobile, desktop and web applications, were not working for almost two weeks.
TechCrunch first reported that the incident was most likely related to a ransomware attack. According to journalists, the attackers managed to steal about 10 TB of data from the company, sharing samples of stolen data with TechCrunch, including files signed with stolen Western Digital keys, company phone numbers not publicly available, and screenshots of other internal data.
The ALPHV group then claimed they were not associated with the attack, but soon a message appeared on their website that Western Digital’s data would be published in the public domain if the company did not pay the ransom.
In an effort to put pressure on the affected company, the hackers released 29 screenshots containing emails, documents and video conferences related to Western Digital’s response to the attack, security researcher Dominic Alvieri now reports. This suggests the attackers retained access to some Western Digital systems even after the hack was discovered (probably until April 1, 2023).
The screenshots include a “media holding statement”, and a letter about employees who “leak” information about attacking journalists.
Also attached to this “drain” is a new message from the attackers, in which they claim to have personal information of the company’s customers and a full backup of SAP Backoffice.
The hackers say that if Western Digital does not pay the ransom, they will release the stolen files every week. They also threaten to sell the company’s stolen intellectual property on the black market, including firmware, code-signing certificates, and customers’ personal information.
