Law enforcement reported the dismantling of the Romanian ransomware hacker group Diskstation, which had previously successfully encrypted the systems of several companies in Italy, paralyzing their businesses.
The law enforcement operation was conducted under the code name Operation Elicius and was coordinated by Europol. The operation also involved representatives from the police forces of France and Romania.
The Diskstation malware is a ransomware targeting Synology NAS devices, which are often used by companies for centralized storage and file sharing, data backup and recovery, as well as hosting collaborative content.
Since 2021, this malware has attacked NAS devices worldwide and was known by various names, including DiskStation Security, Quick Security, LegendaryDisk Security, 7even Security, and Umbrella Security. The attacks targeted internet-connected devices, where files were ultimately encrypted, and the attackers demanded ransoms from the victims ranging from $10,000 to several hundred thousand US dollars.
A statement from law enforcement officials states that companies victimized by Diskstation faced significant system disruptions and business process interruptions.
“Companies faced the encryption of data in their IT systems, leading to a complete ‘paralysis’ of their production processes. To restore access to their data and resume operations, victims had to pay large ransoms to attackers in cryptocurrency,” investigators report.
Among the victims of Diskstation who approached the police were companies involved in graphics and film production, event organizers, as well as international non-profit organizations engaged in civil rights protection and charitable activities.
The investigation led by the Milan prosecutor’s office focused on studying compromised systems and blockchain analytics to track paid ransoms. Over several months, investigators were able to identify several suspects, which enabled raids to be conducted in Bucharest as early as June 2024.
During these raids, additional evidence was obtained confirming the police’s suspicions, and individuals connected to the Diskstation attacks were arrested.
A 44-year-old Romanian citizen is suspected of being the leader of the group and the main operator of the Diskstation attacks. He is currently in pre-trial detention on charges of unauthorized access to computer systems and extortion.