An international law enforcement effort, dubbed “Operation Elicius,” has successfully dismantled the “Diskstation” ransomware gang, a Romanian cybercrime group that had been targeting Network-Attached Storage (NAS) devices worldwide since 2021. Coordinated by Europol and involving police forces from France and Romania, this operation significantly disrupted the group’s activities. The gang specifically focused on Synology NAS devices, which are widely used by companies for crucial tasks like file storage, data backup, and content hosting.
The “Diskstation” ransomware gang operated under various aliases, including “DiskStation Security,” “Quick Security,” and “Umbrella Security,” consistently targeting internet-exposed NAS devices. Once compromised, the files on these devices would be encrypted, and victims were then hit with ransom demands ranging from $10,000 to hundreds of thousands of dollars in cryptocurrency. The attacks led to severe system outages and business disruptions for affected companies, completely paralyzing their production processes and forcing them to pay substantial sums to regain access to their data and resume operations.
Among the victims were diverse organizations, including graphic and film production firms, event organizers, and international non-governmental organizations involved in civil rights and charity work, many of whom reported incidents to the police. The investigations, spearheaded by the Milan Prosecutor’s Office, involved meticulous forensic analysis of compromised systems and extensive blockchain analysis to trace the flow of ransom payments. These detailed investigations quickly led to the identification of several suspects.
Building on the intelligence gathered, international law enforcement partners conducted raids in Bucharest residences in June 2024. These raids provided crucial additional evidence that substantiated police suspicions and led to arrests, including individuals caught in the act of committing crimes. A 44-year-old Romanian man, believed to be the primary operator behind the “Diskstation” attacks, was arrested and is currently in pre-trial detention, facing charges for unauthorized access to computer systems and extortion.
This successful operation underscores the importance of international collaboration in combating cybercrime. To help prevent similar attacks, users of NAS devices are strongly advised to keep their firmware updated, disable unnecessary services like Telnet, rsync, and UPnP, avoid exposing their devices directly to the internet, and restrict access through Virtual Private Networks (VPNs). These security measures can significantly reduce the risk of falling victim to ransomware attacks.
Reference:
