Law enforcement reported the dismantling of the Romanian ransomware hacker group Diskstation, which had previously successfully encrypted the systems of several companies in Italy, paralyzing their businesses.
The law enforcement operation was conducted under the code name Operation Elicius and was coordinated by Europol. The operation also involved representatives from the police forces of France and Romania.
The Diskstation malware is a ransomware targeting Synology NAS devices, which are often used by companies for centralized storage and file sharing, data backup and recovery, as well as hosting collaborative content.
Since 2021, this malware has attacked NAS devices worldwide and was known by various names, including DiskStation Security, Quick Security, LegendaryDisk Security, 7even Security, and Umbrella Security. The attacks targeted internet-connected devices, where files were ultimately encrypted, and the attackers demanded ransoms from the victims ranging from $10,000 to several hundred thousand US dollars.
A statement from law enforcement officials states that companies victimized by Diskstation faced significant system disruptions and business process interruptions.
“Companies faced the encryption of data in their IT systems, leading to a complete ‘paralysis’ of their production processes. To restore access to their data and resume operations, victims had to pay large ransoms to attackers in cryptocurrency,” investigators report.
Among the victims of Diskstation who approached the police were companies involved in graphics and film production, event organizers, as well as international non-profit organizations engaged in civil rights protection and charitable activities.
The investigation led by the Milan prosecutor’s office focused on studying compromised systems and blockchain analytics to track paid ransoms. Over several months, investigators were able to identify several suspects, which enabled raids to be conducted in Bucharest as early as June 2024.
During these raids, additional evidence was obtained confirming the police’s suspicions, and individuals connected to the Diskstation attacks were arrested.
A 44-year-old Romanian citizen is suspected of being the leader of the group and the main operator of the Diskstation attacks. He is currently in pre-trial detention on charges of unauthorized access to computer systems and extortion.
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →