The Bleeping Computer magazine warned of a wave of malware attacks on users of Synology and Lenovo Iomega NAS.
Unknown attackers penetrate users’ devices, encrypt files and leave a note with a ransom request in the amount of 0.01-0.05 bitcoin.Text of the ransomware letter:
YOUR FILES HAVE BEEN ENCRYPTED AND MOVED TO A SAFE LOCATION. IF YOU NEED THEM BACK PLEASE SEND 0.03 BITCOIN TO THIS ADDRESS:
13gMN3sJFxoLvoDzyGxq31sr4k9P2qqMDQ
YOU HAVE UNTIL THE 1st OF AUGUST 2019 TO MAKE THE PAYMENT OR YOUR FILES WILL BE GONE FOR GOOD.
YOUR UNIQE ID IS: "xxx".
BE SURE TO INCLUDE IT IN THE PAYMENT COMMENTS, OR EMAIL ME THE CODE AND PAYMENT CONFIRMATION TO: iomega@cock.li
AFTER THE PAYMENT YOU WILL RECEIVE A NEW FILE ON YOUR NAS DEVICE WITH THE LINK TO YOUR DECRYPTED FILES.
THANK YOU FOR YOUR COOPERATION.
“One of the bitcoin addresses associated with this attack is 13gMN3sJFxoLvoDzyGxq31sr4k9P2qqMDQ and has received 9 payments since June 27th that could be related to this campaign based on the payment amounts”, — reported Bleeping Computer journalists.
However, the founder of Bleeping Computer Lawrence Abrams warns that although in their messages criminals claim that they encrypted or “hide” victim’s files (sometimes attackers also threaten to sell the allegedly stolen data on the darknet), in fact, it looks like the files from the victims devices are simply deleted.
Only in one case, the affected user stated that he was able to recover information by connecting the NAS to his PC via the USB port.
Read also: IS researchers believe ‘REvil’ is GandCrab rebranding
How exactly the criminals penetrate victims’ devices has not yet been established. However, judging by the Shodan statistics, many Lenovo Iomega devices are freely available from the Internet. In the past, Lenovo has already issued recommendations for properly configuring devices so that users can protect themselves. In addition, earlier this month was reported about a bug, due to which unauthorized attackers can access files stored on Lenovo Iomega devices.
However, problems of this kind are observed not only among Lenovo Iomega users. Recently, representatives of Synology also issued a warning to their users, saying that NAS companies are under organized attacks.
In the case of NAS Synology we are talking about brute force attacks on the selection of administrator passwords. If the brute force passwords gave a result, penetrating the device, hackers encrypt all victim’s data and demand a ransom of 0.06 Bitcoin.
Synology representatives published detailed instructions on how to properly configure the NAS, and reminded users of the need to use strong passwords and two-step verification.
Recommendations:
Unless you require public access to your files, all NAS devices should be secured by a firewall and only accessible via a VPN. If you do not have the capability of using a VPN to access your internal network, then at a minimum you should make sure to secure the devices so that they require a strong password access the device.