Screenshots Show ALPHV/BlackCat Ransomware Gang Monitored Western Digital’s Incident Response


May 2, 2023

World map

The Alphv/BlackCat ransomware group reportedly published screenshots that reveal the attackers were monitoring Western Digital’s incident response actions and communications from inside the company’s network.

“The screenshots include what appear to be video calls, emails and internal documents discussing the hack, as well as invoices, development tools, confidential communications, and various tools used internally by the company,” Security Week reports.

“The hackers said that, unless WD pays up, they will release stolen files every week. They also threaten to sell stolen intellectual property, including firmware, code signing certificates, and customer personal information.”

Takeaway: If the attackers have already exfiltrated an organization's most valuable data, it’s safe to assume they are deep into the targeted network, so it should not be surprising that they will leverage this level of access and visibility to monitor and even actively counter any incident response efforts because by this point in the operation, the attack has already been successful – it's too late.  

Most of the discussion around ransomware attacks centers on the delivery of the payload that encrypts data and systems – basically the very end of a complex ransomware attack sequence. Unfortunately, not enough focus is placed on the preceding steps that allowed the attackers access large portions of the targeted network, or on the exfiltration of sensitive data, that have already been successful.

‍These are multi-staged attacks, where the threat actors are determined to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion, with the aim to be as disruptive as possible. But this level of infiltration also means the attackers have likely achieved persistence and admin-level privileges.

This means that when the victim organization finally realizes they have been attacked and begin their incident response, it is highly likely that the attackers will have a front row seat to the remediation actions, and even internal communications as appears to be the case with the attack on Western Digital.

Given how much effort attackers are putting into actions like security evasion, establishing persistence, moving laterally in the network and exfiltrating data, it’s clear we are not putting enough emphasis on these earlier stages of today’s long-tail ransomware attacks.  

If the attackers have already gained admin-level access to the network and exfiltrated the organization's most valuable data, then it should be no surprise that the attackers are also privy to recovery efforts because the attack has already been successful. And this visibility can allow the attackers to better resist being expelled from the network.

‍Better detection and automated remediation of the specific elements that are unique to the earliest actions in a multi-stage ransomware attack will give targeted organizations a much better chance of minimizing disruption to operation, reduce the potential for data loss, and put them in a better position to defeat a ransomware attack long before the ransomware payload comes into play. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.