According to cybersecurity specialists, a group of hackers self-appointed as “Cl0ud SecuritY” is accessing old LenovoEMC (formerly Iomega) network connected storage (NAS) devices, aiming to delete files and leave ransom notes asking admins to pay them between $200 USD and $275 USD to recover access to their data.
The attacks have been reported for a couple of weeks, assures BitcoinAbuse, a platform where users can report compromised Bitcoin addresses being used for ransomware attacks, phishing campaigns and other fraud variants. The attacks seem to be targeting only at LenovoEMC and Iomega NAS implementations, which are exposing their management interface on the Internet without a password.
Lots of the NAS devices found with Shodan Internet scans contained a ransom note saying “RECOVER YOUR FILES!!!!.TXT”. All ransom notes related to this campaign are signed by Cl0ud SecuritY and include the same email address that was used as the contact form (cloud@mail2pay.com).
Attacks recorded over the last weeks appear to be a second stage of the attacks that started during 2019 and have also been targeted exclusively at LenovoEMC NAS stations. Although last year’s attacks were unsigned and no email address was used to contact the hackers, there are lots of similarities between the ransom notes used in both campaigns, so cybersecurity specialists consider the same hacker is behind the two attacks.
According to researcher Victor Gevers, he and his team have been tracking such attacks for years, so they think the recent intrusions are a sample of how sophisticated this malicious actor has become. Gevers added that attackers did not trust a complex feat, as they are targeted devices that were already open on the Internet and did not bother to encrypt the data.
Cl0ud SecuritY hackers claim to have copied the victim’s files to their servers and threatened to leak the files, usually in case the ransom is not paid within five days. However, there is no evidence that the data has been backed up anywhere, nor is there data from previous victims who have made the payment. Gevers also said that attacks on LenovoEMC NAS devices are not new and investigated the incidents since 1998.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.