Western Digital refuses to negotiate with hackers as ALPHV offers “final warning”

Western Digital logo appearing on a smartphone against a sky blue background
(Image credit: Getty Images)

Western Digital has reportedly refused to negotiate with ALPHV, the cyber criminal group that claimed responsibility for the attack on the company in March.

ALPHV claimed the attack on Western Digital on Tuesday, saying that the storage firm had not responded to any of the criminals’ attempts to make contact.

The group alleged that Western Digital doesn’t know the nature of the files that were stolen and has made no attempt to contact ALPHV to understand the extent of the breach.

ALPHV suggested that it was able to travel fairly deeply into Western Digital’s network, offering no indication to the public of what kind of data it stole, other than a suggestion that it has files relating to Western Digital’s firmware.

“Important documents will be released while priceless artifacts will be sold,” ALPHV wrote on its deep web blog.

“At this moment, nothing has been sold or leaked. Despite our attempts over the past two weeks, Western Digital has not responded to any of our attempts,” it added. 

“Even the most naive organizations would want to know precisely what was taken, this situation demonstrates the lack of corporate governance.”

ITPro has contacted Western Digital for comment.

ALPHV also suggested that when Western Digital first filed its 8-K form with the Securities and Exchange Commission (SEC) - a legal requirement in the US compelling companies to disclose significant information to shareholders within four days - it “misrepresented several details”.

In the company’s regulatory filing, it said it had suffered a “network security incident” that first took place on 26 March.

RELATED RESOURCE

Whitepaper cover with digital image of female stood in front of a laptop within a circle, with books and credit card icons

(Image credit: Kaseya)

The complete SaaS backup buyer's guide

The realities of SaaS data protection and why an SaaS back up is essential

DOWNLOAD FOR FREE

It said an unauthorized third party gained access to a number of its systems. 

These service outages persisted until 12 April, according to Western Digital’s status page, which now says all services are running as normal.

The company also said in the filing that it had engaged outside incident response experts, was coordinating with law enforcement, and was “implementing proactive measures” to secure its systems.

If ALPHV’s claims are true, that it has stolen 10TB worth of data from Western Digital, as reported by TechCrunch, the company was either not aware of the data theft or chose not to inform investors in the 8-K.

The cyber criminals also told the publication that they were demanding an eight-figure fee for the return of its data, denying the use of ransomware.

The incident is then believed to be a pure extortion scenario, similar to the attacks by Cl0p abusing the GoAnywhere MFT vulnerability in more than 100 attacks around the world. 

These attacks involved an established ransomware group opting for a pure extortion model rather than deploying a ransomware payload.

ALPHV suggested on its blog that despite the extensive amount of data it has on Western Digital, it would not publish anything if it chose to pay the extortion demands.

“Please do not feel sorry for these hounds,” ALPHV wrote. “I can assure you that they are far more corrupt than you realize, and we have evidence to support our assertions.

“It’s approaching fast. But we are not superior to them. We apologize but we won’t divulge if they pay.”

It also said the blog post could be considered a “final warning”. 

This likely means Western Digital has been sent a deadline for payment, or the group will leak the entirety of the files it stole from the company online.

Analysis

Connor Jones headshot
Connor Jones

When it comes to attacks such as these, it raises questions about who exactly holds the real leverage.

On one hand, ALPHV has claimed to have a huge amount of Western Digital’s data, an amount that, like it expressed in its blog, would make it surprising for a company not to even try to understand what it contained.

That said, it wouldn’t be the first time a cyber criminal outfit has lied to get a rise out of a specific company - LockBit has used this tactic numerous times in the past year. 

The examples of Mandiant and Thales spring to mind.

Without a leak of the data we won’t know for sure if the group’s claims are true.

Western Digital’s apparent refusal to even speak to ALPHV on the matter, again, if true, is somewhat of a head-scratcher. 

ALPHV is right in saying we would usually expect a company to at least engage with the group to understand the nature of the stolen data, and perhaps try to negotiate the extortion demands down, even if it is just to buy some extra time.

But, we know the company engaged outside incident response experts to manage the situation. 

Through investigations, Western Digital may have realized that the stolen data did not amount to anything sensitive or personal, and would be happy to see minor files dumped online just to show a stand against the cyber criminals.

Those investigations may also have revealed the overall size of the stolen data to be much smaller than what ALPHV has claimed.

Then again, all of the criminals’ claims could be true, but it just refuses to negotiate with cyber criminals as a company policy, for example.

Ultimately, so much is unknown about the scenario. The criminals are usually the most vocal in these cases, but are also infamously the most untrustworthy. By contrast, Western Digital has not been especially vocal on the incident. 

I would expect the company to weigh in on the latest claims, but it did not reply to our requests for comment at the time of writing.

It will be interesting to see how the incident unfolds over the coming days and weeks.

Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.