Western Digital refuses to negotiate with hackers as ALPHV offers “final warning”
The hackers claim to have stolen 10TB worth of the company's data but have received no contact during two-week incident
Western Digital has reportedly refused to negotiate with ALPHV, the cyber criminal group that claimed responsibility for the attack on the company in March.
ALPHV claimed the attack on Western Digital on Tuesday, saying that the storage firm had not responded to any of the criminals’ attempts to make contact.
The group alleged that Western Digital doesn’t know the nature of the files that were stolen and has made no attempt to contact ALPHV to understand the extent of the breach.
ALPHV suggested that it was able to travel fairly deeply into Western Digital’s network, offering no indication to the public of what kind of data it stole, other than a suggestion that it has files relating to Western Digital’s firmware.
“Important documents will be released while priceless artifacts will be sold,” ALPHV wrote on its deep web blog.
“At this moment, nothing has been sold or leaked. Despite our attempts over the past two weeks, Western Digital has not responded to any of our attempts,” it added.
“Even the most naive organizations would want to know precisely what was taken, this situation demonstrates the lack of corporate governance.”
ITPro has contacted Western Digital for comment.
ALPHV also suggested that when Western Digital first filed its 8-K form with the Securities and Exchange Commission (SEC) - a legal requirement in the US compelling companies to disclose significant information to shareholders within four days - it “misrepresented several details”.
In the company’s regulatory filing, it said it had suffered a “network security incident” that first took place on 26 March.
RELATED RESOURCE
The complete SaaS backup buyer's guide
The realities of SaaS data protection and why an SaaS back up is essential
It said an unauthorized third party gained access to a number of its systems.
These service outages persisted until 12 April, according to Western Digital’s status page, which now says all services are running as normal.
The company also said in the filing that it had engaged outside incident response experts, was coordinating with law enforcement, and was “implementing proactive measures” to secure its systems.
If ALPHV’s claims are true, that it has stolen 10TB worth of data from Western Digital, as reported by TechCrunch, the company was either not aware of the data theft or chose not to inform investors in the 8-K.
The cyber criminals also told the publication that they were demanding an eight-figure fee for the return of its data, denying the use of ransomware.
The incident is then believed to be a pure extortion scenario, similar to the attacks by Cl0p abusing the GoAnywhere MFT vulnerability in more than 100 attacks around the world.
These attacks involved an established ransomware group opting for a pure extortion model rather than deploying a ransomware payload.
ALPHV suggested on its blog that despite the extensive amount of data it has on Western Digital, it would not publish anything if it chose to pay the extortion demands.
“Please do not feel sorry for these hounds,” ALPHV wrote. “I can assure you that they are far more corrupt than you realize, and we have evidence to support our assertions.
“It’s approaching fast. But we are not superior to them. We apologize but we won’t divulge if they pay.”
It also said the blog post could be considered a “final warning”.
This likely means Western Digital has been sent a deadline for payment, or the group will leak the entirety of the files it stole from the company online.
Analysis
When it comes to attacks such as these, it raises questions about who exactly holds the real leverage.
On one hand, ALPHV has claimed to have a huge amount of Western Digital’s data, an amount that, like it expressed in its blog, would make it surprising for a company not to even try to understand what it contained.
That said, it wouldn’t be the first time a cyber criminal outfit has lied to get a rise out of a specific company - LockBit has used this tactic numerous times in the past year.
The examples of Mandiant and Thales spring to mind.
Without a leak of the data we won’t know for sure if the group’s claims are true.
Western Digital’s apparent refusal to even speak to ALPHV on the matter, again, if true, is somewhat of a head-scratcher.
ALPHV is right in saying we would usually expect a company to at least engage with the group to understand the nature of the stolen data, and perhaps try to negotiate the extortion demands down, even if it is just to buy some extra time.
But, we know the company engaged outside incident response experts to manage the situation.
Through investigations, Western Digital may have realized that the stolen data did not amount to anything sensitive or personal, and would be happy to see minor files dumped online just to show a stand against the cyber criminals.
Those investigations may also have revealed the overall size of the stolen data to be much smaller than what ALPHV has claimed.
Then again, all of the criminals’ claims could be true, but it just refuses to negotiate with cyber criminals as a company policy, for example.
Ultimately, so much is unknown about the scenario. The criminals are usually the most vocal in these cases, but are also infamously the most untrustworthy. By contrast, Western Digital has not been especially vocal on the incident.
I would expect the company to weigh in on the latest claims, but it did not reply to our requests for comment at the time of writing.
It will be interesting to see how the incident unfolds over the coming days and weeks.
-
SecurityHQ names Aaron Hambleton as product and services chiefNews Industry veteran will lead product and service innovation across the provider's cybersecurity portfolio
-
Cisco teams up with DSIT to drive digital skills adoptionNews Partnership supports the government's TechFirst program to provide one million secondary school students with access to digital learning experiences
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recovery
News Few manage to recover all their data, and many experience business disruption
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in life
News With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
