Western Digital has reportedly refused to negotiate with ALPHV, the cyber criminal group that claimed responsibility for the attack on the company in March.
ALPHV claimed the attack on Western Digital on Tuesday, saying that the storage firm had not responded to any of the criminals’ attempts to make contact.
The group alleged that Western Digital doesn’t know the nature of the files that were stolen and has made no attempt to contact ALPHV to understand the extent of the breach.
ALPHV suggested that it was able to travel fairly deeply into Western Digital’s network, offering no indication to the public of what kind of data it stole, other than a suggestion that it has files relating to Western Digital’s firmware.
“Important documents will be released while priceless artifacts will be sold,” ALPHV wrote on its deep web blog.
“At this moment, nothing has been sold or leaked. Despite our attempts over the past two weeks, Western Digital has not responded to any of our attempts,” it added.
“Even the most naive organizations would want to know precisely what was taken, this situation demonstrates the lack of corporate governance.”
ITPro has contacted Western Digital for comment.
ALPHV also suggested that when Western Digital first filed its 8-K form with the Securities and Exchange Commission (SEC) - a legal requirement in the US compelling companies to disclose significant information to shareholders within four days - it “misrepresented several details”.
In the company’s regulatory filing, it said it had suffered a “network security incident” that first took place on 26 March.
RELATED RESOURCE
The complete SaaS backup buyer's guide
The realities of SaaS data protection and why an SaaS back up is essential
It said an unauthorized third party gained access to a number of its systems.
These service outages persisted until 12 April, according to Western Digital’s status page, which now says all services are running as normal.
The company also said in the filing that it had engaged outside incident response experts, was coordinating with law enforcement, and was “implementing proactive measures” to secure its systems.
If ALPHV’s claims are true, that it has stolen 10TB worth of data from Western Digital, as reported by TechCrunch, the company was either not aware of the data theft or chose not to inform investors in the 8-K.
The cyber criminals also told the publication that they were demanding an eight-figure fee for the return of its data, denying the use of ransomware.
The incident is then believed to be a pure extortion scenario, similar to the attacks by Cl0p abusing the GoAnywhere MFT vulnerability in more than 100 attacks around the world.
These attacks involved an established ransomware group opting for a pure extortion model rather than deploying a ransomware payload.
ALPHV suggested on its blog that despite the extensive amount of data it has on Western Digital, it would not publish anything if it chose to pay the extortion demands.
“Please do not feel sorry for these hounds,” ALPHV wrote. “I can assure you that they are far more corrupt than you realize, and we have evidence to support our assertions.
“It’s approaching fast. But we are not superior to them. We apologize but we won’t divulge if they pay.”
It also said the blog post could be considered a “final warning”.
This likely means Western Digital has been sent a deadline for payment, or the group will leak the entirety of the files it stole from the company online.
Analysis
When it comes to attacks such as these, it raises questions about who exactly holds the real leverage.
On one hand, ALPHV has claimed to have a huge amount of Western Digital’s data, an amount that, like it expressed in its blog, would make it surprising for a company not to even try to understand what it contained.
That said, it wouldn’t be the first time a cyber criminal outfit has lied to get a rise out of a specific company - LockBit has used this tactic numerous times in the past year.
The examples of Mandiant and Thales spring to mind.
Without a leak of the data we won’t know for sure if the group’s claims are true.
Western Digital’s apparent refusal to even speak to ALPHV on the matter, again, if true, is somewhat of a head-scratcher.
ALPHV is right in saying we would usually expect a company to at least engage with the group to understand the nature of the stolen data, and perhaps try to negotiate the extortion demands down, even if it is just to buy some extra time.
But, we know the company engaged outside incident response experts to manage the situation.
Through investigations, Western Digital may have realized that the stolen data did not amount to anything sensitive or personal, and would be happy to see minor files dumped online just to show a stand against the cyber criminals.
Those investigations may also have revealed the overall size of the stolen data to be much smaller than what ALPHV has claimed.
Then again, all of the criminals’ claims could be true, but it just refuses to negotiate with cyber criminals as a company policy, for example.
Ultimately, so much is unknown about the scenario. The criminals are usually the most vocal in these cases, but are also infamously the most untrustworthy. By contrast, Western Digital has not been especially vocal on the incident.
I would expect the company to weigh in on the latest claims, but it did not reply to our requests for comment at the time of writing.
It will be interesting to see how the incident unfolds over the coming days and weeks.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
