Police disrupt “Diskstation” ransomware gang attacking NAS devices

An international law enforcement action dismantled a Romanian ransomware gang known as 'Diskstation,' which encrypted the systems of several companies in the Lombardy region, paralyzing their businesses.

The law enforcement operation codenamed 'Operation Elicius' was coordinated by Europol and also involved police forces in France and Romania.

Diskstation is a ransomware operation that targets Synology Network-Attached Storage (NAS) devices, which are commonly used by companies for centralized file storage and sharing, data backup and recovery, and general content hosting.

The ransomware operation has been targeting NAS devices worldwide since 2021 under various names, including "DiskStation Security", "Quick Security", "LegendaryDisk Security", "7even Security", and "Umbrella Security".

The attacks targeted internet-exposed NAS devices, whose files were encrypted, demanding ransom payments ranging from $10,000 to hundreds of thousands of dollars.

An announcement by the Postal and Cybersecurity Police Service explains that companies targeted by Diskstation experienced severe systems outages and business disruption.

"These companies had experienced encryption of data on their IT systems, resulting in the complete 'paralysis' of their production processes," reads the announcement.

"To regain access to their data and resume operations, the victims were required to pay a substantial ransom in cryptocurrency to the cybercriminals."

Victims who reported the incidents to the police include graphic and film production firms, event organizers, and international NGOs active in civil rights and charity work.

The investigations, led by the Milan Prosecutor's Office, focused on the forensic analysis of compromised systems as well as blockchain analysis to trace ransom payments.

Within a few months, the investigators identified several suspects, which enabled international law enforcement partners to conduct raids at the specified Bucharest residences in June 2024.

These raids provided additional evidence to back the police's suspicions and also led to the arrests of people caught in the act of committing crimes.

Law enforcement arrested a 44-year-old Romanian man who is suspected of being the primary operator behind the attacks, who is now in pre-trial detention to face charges for unauthorized access to computer systems and extortion.

To protect NAS devices from unauthorized access or ransomware attacks, ensure they run the latest available firmware, turn off unnecessary services (such as Telnet, rsync, and UPnP), do not expose them to the internet and restrict access to VPNs.