Law enforcement reported the dismantling of the Romanian ransomware hacker group Diskstation, which had previously successfully encrypted the systems of several companies in Italy, paralyzing their businesses.
The law enforcement operation was conducted under the code name Operation Elicius and was coordinated by Europol. The operation also involved representatives from the police forces of France and Romania.
The Diskstation malware is a ransomware targeting Synology NAS devices, which are often used by companies for centralized storage and file sharing, data backup and recovery, as well as hosting collaborative content.
Since 2021, this malware has attacked NAS devices worldwide and was known by various names, including DiskStation Security, Quick Security, LegendaryDisk Security, 7even Security, and Umbrella Security. The attacks targeted internet-connected devices, where files were ultimately encrypted, and the attackers demanded ransoms from the victims ranging from $10,000 to several hundred thousand US dollars.
A statement from law enforcement officials states that companies victimized by Diskstation faced significant system disruptions and business process interruptions.
“Companies faced the encryption of data in their IT systems, leading to a complete ‘paralysis’ of their production processes. To restore access to their data and resume operations, victims had to pay large ransoms to attackers in cryptocurrency,” investigators report.
Among the victims of Diskstation who approached the police were companies involved in graphics and film production, event organizers, as well as international non-profit organizations engaged in civil rights protection and charitable activities.
The investigation led by the Milan prosecutor’s office focused on studying compromised systems and blockchain analytics to track paid ransoms. Over several months, investigators were able to identify several suspects, which enabled raids to be conducted in Bucharest as early as June 2024.
During these raids, additional evidence was obtained confirming the police’s suspicions, and individuals connected to the Diskstation attacks were arrested.
A 44-year-old Romanian citizen is suspected of being the leader of the group and the main operator of the Diskstation attacks. He is currently in pre-trial detention on charges of unauthorized access to computer systems and extortion.
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →