Posted on June 30, 2020 at 7:39 PM
A Hacking Group Wipes Lenovo NAS Devices, Asks for a Ransom
A hacking syndicate known as ‘Cl0ud SecuritY’ has been found hacking into an old LenovoEMC network-attached storage devices. The report revealed that the group is deleting files and leaving ransom notes with demands asking the victims to pay between $200 and $275 if they want to retrieve their data.
Attacks targeted only LenovoEMC storage devices
This hacking group has been infiltrating the LenonoEMC storage devices for about one month, based on entries on a popular ransomware report site BitcoinAbuse. The site is a listing of Bitcoin addresses abused in cybercrime, extortions, and ransomware attacks. It offers users the space to report any address that has been involved in cybercriminal activities.
According to the listing, the attacks seem to have targeted only LenovoEMC (previously known as Iomega) devices that expose their management interface online without any password protection. The report revealed that there are more than 1,000 such devices exposed online.
Several of the NAS devices discovered to be likely victims of the attack have ransom notes written in them, with the caption, “RECOVER Your Files,” posted by the hackers.
The ‘Cl0ud SecuritY’ moniker was also seen on all the ransomware notes and they utilized the same point of contact email address “cloud@mail2pay.com. It showed the attack, as well as the follow-up ransom notes, were issued by the same hackers.
The report also revealed that this recent attack that was discovered last month is seemingly a continuation of a series of attacks that began last year, which has also especially targeted LenovoEMC NAS devices.
Although for last year’s attack, the hackers used different email addresses, and the ransomware notes were not signed, there are strong similarities between both types of attacks. The report linked both attacks. It stated that the same actors are responsible for the attack last year and this month’s attack since they have the same attack wave and target the same type of network.
Unsophisticated attackers
A security researcher at GDI Foundation, Victor Gevers, voiced his opinion and findings of the ransomware group. He said he has been tracking the attacks for many years, but the recent actions by the attacker show that it’s the work of unsophisticated hands.
Gevers reiterated that the attackers did not utilize any sophisticated technique to launch their attack. He said the actors did not bother to encrypt their data and their targets were devices that are already vulnerable on the internet.
However, the hackers claimed they copied their target’s files to their servers, and they are threatening to release the files to the public if the victims fail to meet their ransom demands within days.
But no one is sure whether any data from them have been released to the public or whether they have a backed up data anywhere as they claimed.
Hackers could be issuing empty threats
Since there is no concrete evidence to suggest the hackers have the files. It appears as though the attackers are only issuing empty threats as there is no evidence to show they stole and encrypted data. Gevers suggested that the aim of the hackers could be to frighten victims into yielding into the ransom demands for data that hackers have already wiped.
Attack LenovoEMC not the first
Gevers also stated that there have always been attacks against LenovoEMC even right from when it was still known as Iomega. He noted that this would not be the first time it’s being the subject of hacking attempts, having been investigating hacking incidents since 1998.
Since 2018, Lenovo discontinued both the Iomega NAS and LenovoEMC lines, but there are about 1,000 devices still exposed online. The numbers of devices are not many because several NAS stations have reached their EOL for a long time and many users have decommissioned them.
Gevers said these devices are vulnerable online, which have been the subject of several hacking attempts by cybercriminals. The attackers are targeting those NAS devices that are still running and still connected online, making them more exposed to attackers.