Law Enforcement Dismantles Diskstation Group That Attacked NAS Devices

📟 News

Date: 18/07/2025

Law enforcement reported the dismantling of the Romanian ransomware hacker group Diskstation, which had previously successfully encrypted the systems of several companies in Italy, paralyzing their businesses.

The law enforcement operation was conducted under the code name Operation Elicius and was coordinated by Europol. The operation also involved representatives from the police forces of France and Romania.

The Diskstation malware is a ransomware targeting Synology NAS devices, which are often used by companies for centralized storage and file sharing, data backup and recovery, as well as hosting collaborative content.

Since 2021, this malware has attacked NAS devices worldwide and was known by various names, including DiskStation Security, Quick Security, LegendaryDisk Security, 7even Security, and Umbrella Security. The attacks targeted internet-connected devices, where files were ultimately encrypted, and the attackers demanded ransoms from the victims ranging from $10,000 to several hundred thousand US dollars.

A statement from law enforcement officials states that companies victimized by Diskstation faced significant system disruptions and business process interruptions.

“Companies faced the encryption of data in their IT systems, leading to a complete ‘paralysis’ of their production processes. To restore access to their data and resume operations, victims had to pay large ransoms to attackers in cryptocurrency,” investigators report.

Among the victims of Diskstation who approached the police were companies involved in graphics and film production, event organizers, as well as international non-profit organizations engaged in civil rights protection and charitable activities.

The investigation led by the Milan prosecutor’s office focused on studying compromised systems and blockchain analytics to track paid ransoms. Over several months, investigators were able to identify several suspects, which enabled raids to be conducted in Bucharest as early as June 2024.

During these raids, additional evidence was obtained confirming the police’s suspicions, and individuals connected to the Diskstation attacks were arrested.

A 44-year-old Romanian citizen is suspected of being the leader of the group and the main operator of the Diskstation attacks. He is currently in pre-trial detention on charges of unauthorized access to computer systems and extortion.

Related posts:
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…

Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims

According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…

Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder

According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…

Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…

Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti

A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…

Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members

The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →