Authorities Dismantle DiskStation Ransomware Targeting NAS Devices

Edward Zhou
Edward Zhou

CEO & Founder

 
July 17, 2025 3 min read

Authorities Dismantled “Diskstation” Ransomware Attacking Synology NAS Devices Worldwide

Authorities Dismantled “Diskstation” Ransomware Attacking Synology NAS Devices Worldwide
Italian State Police, in collaboration with French and Romanian law enforcement agencies, have successfully dismantled the “Diskstation” ransomware group that targeted Synology Network-Attached Storage (NAS) devices globally. The operation, coordinated through EUROPOL, resulted in the arrest of several Romanian nationals and exposed a sophisticated cybercriminal network that encrypted victim systems and demanded cryptocurrency payments for data recovery.

Key Takeaways

  1. Italian police, with French and Romanian authorities, dismantled the "Diskstation" ransomware gang targeting Synology NAS devices worldwide.
  2. Criminals encrypted business systems and demanded cryptocurrency ransoms from victims in various sectors.
  3. Authorities used forensic analysis and blockchain tracking to trace the criminal network.
  4. Several Romanian nationals arrested, including a primary suspect (44) facing detention for computer access and extortion charges.

Ransomware Gang Exploits Synology NAS Zero-Days

The investigation began after numerous complaints from Lombardy-based companies about ransomware attacks. The cybercriminals used sophisticated encryption algorithms to render business-critical data inaccessible, paralyzing production processes in sectors like graphic design, film production, and event organization.

The Cybersecurity Operations Center in Milan conducted comprehensive forensic analysis of the attacked computer systems. Investigators also performed detailed blockchain analysis to trace cryptocurrency transactions, employing specialized tools that tracked payments from victims to the perpetrators' wallets.

The ransomware group demonstrated expertise in exploiting vulnerabilities within Synology NAS devices, commonly used for data storage and backup solutions. Attackers leveraged zero-day exploits and credential stuffing to gain unauthorized access before deploying their encryption payloads.

Ransomware Ring Shut Down

The complexity of the operation necessitated international cooperation, leading to the establishment of a specialized task force coordinated by EUROPOL. Cyber crime units from Italy, France, and Romania contributed their expertise in digital forensics, cryptocurrency analysis, and cross-border legal procedures.

In June 2024, police conducted coordinated searches in Bucharest, leading to the apprehension of suspects in the act of cybercrime. The operation yielded substantial digital evidence confirming the investigative hypotheses and revealing the full scope of the network's activities. The primary suspect, a 44-year-old Romanian, has been placed in pre-trial detention on charges of “Unauthorized Access to a Computer or Telematic System” and “Extortion.”

Italian Police Dismantle Romanian Ransomware Gang Targeting Nonprofits and Film Companies

Italian Police
Italian police have dismantled the Romanian ransomware gang known as “Diskstation,” targeting civil rights groups, design and film production companies, and international nonprofits in northern Italy. The group is accused of encrypting victims’ systems and demanding large cryptocurrency ransoms to restore access to the data.

The operation began after multiple companies in the Lombardy region reported being locked out of their systems. Investigators identified several Romanian nationals allegedly involved in the attacks.

In June, police raided homes in Bucharest, seizing digital evidence and apprehending suspects, some caught in the act of cyberattacks. A Milan judge ordered the pre-trial detention of the suspected group leader, a 44-year-old Romanian man, facing charges of unauthorized access and extortion.

Symantec Endpoint Management Suite Vulnerability Allows Malicious Code Execution Remotely

Symantec Endpoint Management Suite Vulnerability
A critical security vulnerability has been discovered in Broadcom’s Symantec Endpoint Management Suite, enabling unauthenticated remote code execution. The flaw, identified as CVE-2025-5333 with a CVSS v4.0 score of 9.5, affects multiple versions of this widely-deployed solution, prompting immediate mitigation recommendations.

Key Takeaways

  1. CVE-2025-5333 (CVSS 9.5) affects Symantec Endpoint Management Suite 8.6.x-8.8, allowing unauthenticated remote code execution via port 4011.
  2. The vulnerability is due to insecure .NET object deserialization in the Altiris IRM component.
  3. To mitigate risk, block port 4011 on firewalls as it’s unnecessary for normal operations.

The vulnerability resides in the Symantec Altiris Inventory Rule Management component, targeting an exposed legacy .NET Remoting endpoint. The CVSS vector indicates network-accessible exploitation requiring no user authentication.

Broadcom’s PSIRT team confirmed that port 4011 is not required for standard operations. Immediate actions include verifying firewall configurations and implementing recommended security controls to prevent exploitation.

For further information on securing devices, explore resources on how to prevent ransomware attacks.

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article