Police Dismantle DiskStation Ransomware Targeting NAS Devices

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 17, 2025 3 min read

Police disrupt “Diskstation” ransomware gang attacking NAS devices

Arrest
Image courtesy of BleepingComputer

An international law enforcement operation dismantled a Romanian ransomware gang known as 'Diskstation,' which encrypted the systems of several companies in the Lombardy region, paralyzing their businesses. The operation, codenamed 'Operation Elicius,' was coordinated by Europol and involved police forces in France and Romania.

Diskstation is a ransomware operation targeting Synology Network-Attached Storage (NAS) devices, commonly used by companies for centralized file storage, data backup, and content hosting. Since 2021, this gang has used various names, including "DiskStation Security" and "Quick Security." Their attacks primarily targeted internet-exposed NAS devices, encrypting files and demanding ransom payments ranging from $10,000 to hundreds of thousands of dollars.

DiskStation ransom note
Image courtesy of BleepingComputer

An announcement from the Postal and Cybersecurity Police Service indicated that the victims faced severe operational disruptions due to data encryption. "These companies had experienced encryption of data on their IT systems, resulting in the complete 'paralysis' of their production processes," reads the announcement. To regain access, victims were required to pay substantial ransoms in cryptocurrency.

The investigation, led by the Milan Prosecutor's Office, involved forensic analysis of compromised systems and blockchain analysis to trace ransom payments. Within months, investigators identified several suspects, leading to raids in Bucharest in June 2024, resulting in arrests, including a 44-year-old Romanian man suspected of being the primary operator behind the attacks.

To protect NAS devices from unauthorized access or ransomware attacks, ensure they run the latest available firmware, disable unnecessary services, do not expose them to the internet, and restrict access to VPNs.

Authorities Dismantled “Diskstation” Ransomware Attacking Synology NAS Devices Worldwide

Authorities Dismantled “Diskstation” Ransomware
Image courtesy of Blogger

The Italian State Police, in collaboration with French and Romanian law enforcement, dismantled the Diskstation ransomware group targeting Synology NAS devices globally. The operation resulted in multiple arrests and exposed a sophisticated cybercriminal network that encrypted systems and demanded cryptocurrency for data recovery.

The investigation initiated after complaints from Lombardy-based companies whose IT infrastructures were compromised. The criminals employed advanced encryption algorithms, rendering critical data inaccessible and paralyzing production across various sectors, including graphic design and film production.

The Cybersecurity Operations Center in Milan conducted comprehensive forensic analysis of attacked systems and performed detailed blockchain analysis to trace cryptocurrency transactions. This dual approach was crucial in identifying attack vectors and establishing the operational structure of the criminal network.

The ransomware group exhibited expertise in exploiting vulnerabilities within Synology NAS devices, leveraging zero-day exploits and credential stuffing techniques for unauthorized access before deploying encryption payloads.

Ransomware Ring Shut Down

The complexity of the cybercriminal operation necessitated expanded international cooperation, leading to a specialized task force coordinated by Europol. The collaborative effort included cyber crime units from Italy, France, and Romania, contributing expertise in digital forensics and cross-border legal procedures.

During searches in Bucharest in June 2024, investigators from the Milan COSC, alongside Romanian authorities, apprehended several suspects committing cybercrime. The operation yielded substantial digital evidence confirming the investigative hypotheses.

The primary suspect, a 44-year-old Romanian citizen, has been placed in pre-trial detention facing charges of “Unauthorized Access to a Computer or Telematic System” and “Extortion.” These charges reflect the serious nature of the crimes affecting numerous victims.

Synology has been advising users on how to protect their NAS devices from ransomware attacks for years. Recommendations include minimizing internet exposure, hardening password security, and ensuring regular backups.

To further enhance security, users should enable two-step verification (2FA) and disable or rename default “admin” accounts. Disabling remote services like QuickConnect, WebDAV, and SSH can also mitigate risks, while utilizing Synology’s firewall to restrict access is advisable. Keeping NAS devices updated with the latest security patches is essential for ongoing protection.

For more information on securing NAS devices from ransomware, visit Synology's website.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article