Police Disrupt Diskstation Ransomware Gang Targeting NAS Devices

Edward Zhou
Edward Zhou

CEO & Founder

 
July 16, 2025 4 min read

Police disrupt “Diskstation” ransomware gang attacking NAS devices

Arrest
Image courtesy of BleepingComputer

An international law enforcement action dismantled a Romanian ransomware gang known as 'Diskstation,' which encrypted the systems of several companies in the Lombardy region, paralyzing their businesses. The operation, codenamed 'Operation Elicius,' was coordinated by Europol and involved police forces from France and Romania.

Diskstation targets Synology Network-Attached Storage (NAS) devices, commonly used by companies for centralized file storage, data backup, and content hosting. The ransomware operation has been active since 2021, using various names like "DiskStation Security" and "LegendaryDisk Security." Attacks primarily focused on NAS devices exposed to the internet, demanding ransom payments ranging from $10,000 to hundreds of thousands of dollars.

DiskStation ransom note
DiskStation ransom note
Source: BleepingComputer

The Postal and Cybersecurity Police Service noted that the targeted companies experienced severe outages due to data encryption, necessitating substantial ransom payments in cryptocurrency for data recovery. Victims included graphic and film production firms, event organizers, and NGOs focused on civil rights. Investigations led by the Milan Prosecutor's Office used forensic analysis and blockchain tracking to identify suspects, resulting in arrests in Bucharest.

To mitigate the risk of ransomware attacks, users are advised to keep their NAS devices updated, disable unnecessary services, limit internet exposure, and restrict access through VPNs.

INTERPOL disrupts over 22,000 malicious servers in global crackdown

INTERPOL Disrupts Over 22,000 Malicious Servers in Global Crackdown on Cybercrime
Image courtesy of The Hacker News

In a global operation named Operation Synergia II, INTERPOL announced the takedown of over 22,000 malicious servers associated with various cyber threats, including ransomware. The operation, which ran from April to August 2024, targeted phishing and information stealer infrastructures with significant results, including the seizure of servers and electronic devices.

Key outcomes included the takedown of over 1,037 servers by Hong Kong police and the disruption of 291 servers in Macau. This coordinated effort underscores the continuous battle against cybercrime on a global scale.

Synology urges patch for critical zero-click RCE flaw

Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices
Image courtesy of The Hacker News

Synology has issued an urgent patch for a critical security vulnerability in its DiskStation and BeePhotos products, tracked as CVE-2024-10443 and dubbed RISK:STATION. This zero-click flaw allows attackers to execute root-level code on millions of devices without user interaction. It was showcased at the Pwn2Own Ireland 2024 hacking contest, emphasizing the importance of immediate software updates to protect against potential exploitation.

North Korean group collaborates with Play ransomware

North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack
Image courtesy of The Hacker News

A North Korean group has been linked to deploying the Play ransomware, marking a significant collaboration between state-sponsored actors and underground cybercriminal networks. The activity observed between May and September 2024 was attributed to a threat actor known as Jumpy Pisces. This collaboration marks a notable escalation in financial motivation among state-sponsored groups.

Four REvil ransomware members sentenced

Four REvil Ransomware Members Sentenced in Rare Russian Cybercrime Convictions
Image courtesy of The Hacker News

In a rare occurrence, four members of the REvil ransomware group have been sentenced in Russia for their roles in hacking and money laundering. The court found them guilty, resulting in prison terms ranging from 4.5 to 6 years. This case highlights the growing legal repercussions for cybercriminals in Russia.

New Qilin.B ransomware variant emerges

New Qilin.B Ransomware Variant Emerges with Improved Encryption and Evasion Tactics
Image courtesy of The Hacker News

Researchers have identified an advanced variant of the Qilin ransomware, named Qilin.B. This new version incorporates enhanced encryption methods, including AES-256-CTR and RSA-4096, making file decryption without the attacker's private key nearly impossible. Its sophistication and evasion tactics present a growing threat to organizations.

Why phishing-resistant MFA is essential

Why Phishing-Resistant MFA Is No Longer Optional: The Hidden Risks of Legacy MFA
Image courtesy of The Hacker News

The Department of Homeland Security and CISA have issued a warning stressing the importance of implementing phishing-resistant multi-factor authentication (MFA) to combat ransomware attacks. Organizations are urged to move away from SMS-based OTPs in favor of more secure methods, highlighting the evolving threat landscape.

Lazarus Group exploits Google Chrome vulnerability

Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices
Image courtesy of The Hacker News

The Lazarus Group has exploited a zero-day vulnerability in Google Chrome to gain control over devices. Kaspersky reported that this attack chain targeted individuals within the cryptocurrency sector, emphasizing the ongoing risks associated with browser vulnerabilities.

Ransomware gangs use LockBit's fame to intimidate victims

Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks
Image courtesy of The Hacker News

Threat actors are manipulating the reputation of the notorious LockBit ransomware to exert pressure on victims. By disguising their ransomware as LockBit, attackers aim to instill fear and further control over their targets, complicating response efforts.

North Korean IT workers demand ransom for stolen data

![North Korean IT Workers in Western Firms Now Demanding R

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article