BlackCat group releases screenshots of stolen Western Digital data

Ransomware group BlackCat has released a set of screenshots on its leak site that it claims are from data stolen from Western Digital in an April system breach. The images include screenshots of videoconferences and internal emails of the storage device manufacturer, according to a tweet by cybersecurity researcher Dominic Alvieri.

The screenshots also included an image of a recent meeting held by Western Digital where the company was discussing how to respond to the cyberattack. The ransomware group, along with the image, wrote, “with the finest threat hunters Western Digital has to offer.” The images of the participants were blurred.

Western Digital suffered a network breach

Western Digital disclosed it had suffered a network breach on April 3. The incident was first identified by the company on March 26 and the company revealed that an unauthorized third party gained access to several of the company’s systems.

“Based on the investigation to date, the Company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data,” Western Digital said.

The company also said that it was taking down certain systems and services offline as a proactive security measure. Following the incident, several users reported that they were not able to access Western Digital’s network-attached storage service My Cloud.

“We are currently experiencing a service interruption that is preventing customers from accessing the My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi, SanDisk Ixpand Wireless Charger service,” the company said on April 3. The services were restored on April 12, according to the company’s status page.

BlackCat threatens to release more data

Along with the screenshots that BlackCat currently posted, the group also posted a note that states it would release more data and eventually put Western Digital’s intellectual property on sale.

“Beginning next week on an unspecified day, we will share leaks every week until we lose interest. Once that happens, we will put their intellectual property up for sale, including code signing certificates, firmware, personally identifiable information of customers, and more,” BlackCat said, adding that the group had obtained a full backup of Western Digital’s SAP Back Office, which dates back to the last week of March.

The group also claimed it was doing so because Western Digital did not get in contact with them. There has been no further update on the issue from Western Digital nor confirmation of any ransom demanded.

BlackCat becomes more active 

BlackCat, also known as ALPHV, was the second most active ransomware group in 2022, according to cybersecurity conpany Malwarebytes. It was the first ransomware to be coded in the Rust programing language. In February, the ransomware group listed over 6GB of data allegedly stolen from the Munster Technological University in Ireland on its website.

The Lehigh Valley Health Network disclosed on February 20 that it had been attacked by the BlackCat ransomware gang and stated that it would not pay a ransom. Following this, the gang posted pictures of nude cancer patients on its site. The pictures were clinical images used as part of radiotherapy.