An international police operation succeeded in dismantling DiskStation, a Romanian ransomware gang that encrypted the systems of companies in the Italian region of Lombardy, bringing their businesses to a complete standstill.
The operation, known as “Operation Elicius,” was coordinated by Europol and supported by the authorities in France and Romania, who worked together to stop the criminal group's activities.
What is DiskStation and how did it affect Synology NAS devices?
DiskStation is not only the name of a popular NAS device from Synology, it was also the nickname of a ransomware operation that, since 2021, has been attacking precisely that type of system: network-attached storage (NAS) devices, used by many companies to centrally store, share, and back up files.
This group of cybercriminals focused on NAS devices directly exposed to the internet, exploiting insecure configurations or unpatched vulnerabilities. Once inside, they encrypted all files and demanded a ransom to restore access. The amounts varied, but ranged from $10,000 to figures exceeding hundreds of thousands, depending on the size of the victim.
During their activity, they operated under different names to avoid being easily detected. Some of the most commonly used aliases were: DiskStation Security, Quick Security, LegendaryDisk Security, 7even Security, and Umbrella Security.
In summary, this group turned an essential resource for businesses (such as Synology NAS devices) into a weak point that they exploited mercilessly on a global scale.
DiskStation ransom note (Source: BleepingComputer)
Read more: How to detect and respond to a ransomware attack with TecnetProtect
DiskStation victims: Paralyzed systems and cryptocurrency ransoms
According to the Postal and Cybersecurity Police Service, companies affected by DiskStation ransomware suffered critical disruptions to their systems, bringing their daily operations to a complete halt.
“The attackers encrypted the data on the victims' systems, causing their production processes to come to a complete standstill,” the authorities explained.
In order to resume operations, the companies were forced to pay a ransom in cryptocurrency, in some cases quite large sums, in exchange for regaining access to their data.
Among the sectors most affected are graphic and film production companies, event organizers, and international NGOs working in defense of civil rights and humanitarian causes. All of these organizations filed complaints with the police after being completely blocked by the attack.
A cross-border investigation
The investigation was led by the Milan Public Prosecutor's Office, with a technical focus on forensic analysis of the compromised systems and tracking payments through the blockchain, a key technique for tracing money in cybercrime cases.
Thanks to this work, several suspects were identified in just a few months. This allowed for coordinated raids in different locations in Bucharest, Romania, during June 2024, in collaboration with international police forces.
These interventions not only provided solid evidence confirming the suspicions, but also led to arrests in flagrante delicto, i.e., with the perpetrators committing crimes in real time.
One of those arrested was a 44-year-old Romanian citizen, identified as one of the main operators behind the DiskStation attacks. He is currently in pretrial detention, facing charges of unauthorized access to computer systems and aggravated extortion.
How to protect your NAS devices from ransomware?
If you have a NAS (especially from brands such as Synology or QNAP), it is essential to take security measures to avoid falling victim to this type of attack. Here are some key recommendations:
-
Always update the firmware to the latest available version.
-
Disable unnecessary services, such as Telnet, rsync, and UPnP, if you are not using them.
-
Do not expose your NAS directly to the Internet; if you need remote access, do so through a secure VPN.
-
Restrict access by IP or users and set up two-factor authentication (2FA) whenever possible.
-
Perform regular backups to external devices or the cloud, encrypted and disconnected from the main system.
Above all, consider using a solution such as TecnetProtect Backup, a platform based on technology from Acronis, a world leader in data protection. This solution not only performs automatic and secure backups, but also includes advanced defenses against ransomware, the same ones that have positioned Acronis as one of the most reliable tools on the market.
With TecnetProtect Backup, your data is protected against malicious encryption, zero-day attacks, and other types of cyber threats, allowing you to quickly recover information without paying ransoms or wasting valuable time.
In short, combining good security practices with specialized tools is the best way to ensure business continuity and avoid the serious consequences of an attack.
