Authorities Dismantle DiskStation Ransomware Targeting NAS Devices
Authorities Dismantled “Diskstation” Ransomware Attacking Synology NAS Devices Worldwide
Key Takeaways
- Italian police, with French and Romanian authorities, dismantled the "Diskstation" ransomware gang targeting Synology NAS devices worldwide.
- Criminals encrypted business systems and demanded cryptocurrency ransoms from victims in various sectors.
- Authorities used forensic analysis and blockchain tracking to trace the criminal network.
- Several Romanian nationals arrested, including a primary suspect (44) facing detention for computer access and extortion charges.
Ransomware Gang Exploits Synology NAS Zero-Days
The investigation began after numerous complaints from Lombardy-based companies about ransomware attacks. The cybercriminals used sophisticated encryption algorithms to render business-critical data inaccessible, paralyzing production processes in sectors like graphic design, film production, and event organization.
The Cybersecurity Operations Center in Milan conducted comprehensive forensic analysis of the attacked computer systems. Investigators also performed detailed blockchain analysis to trace cryptocurrency transactions, employing specialized tools that tracked payments from victims to the perpetrators' wallets.
The ransomware group demonstrated expertise in exploiting vulnerabilities within Synology NAS devices, commonly used for data storage and backup solutions. Attackers leveraged zero-day exploits and credential stuffing to gain unauthorized access before deploying their encryption payloads.
Ransomware Ring Shut Down
The complexity of the operation necessitated international cooperation, leading to the establishment of a specialized task force coordinated by EUROPOL. Cyber crime units from Italy, France, and Romania contributed their expertise in digital forensics, cryptocurrency analysis, and cross-border legal procedures.
In June 2024, police conducted coordinated searches in Bucharest, leading to the apprehension of suspects in the act of cybercrime. The operation yielded substantial digital evidence confirming the investigative hypotheses and revealing the full scope of the network's activities. The primary suspect, a 44-year-old Romanian, has been placed in pre-trial detention on charges of “Unauthorized Access to a Computer or Telematic System” and “Extortion.”
Italian Police Dismantle Romanian Ransomware Gang Targeting Nonprofits and Film Companies
The operation began after multiple companies in the Lombardy region reported being locked out of their systems. Investigators identified several Romanian nationals allegedly involved in the attacks.
In June, police raided homes in Bucharest, seizing digital evidence and apprehending suspects, some caught in the act of cyberattacks. A Milan judge ordered the pre-trial detention of the suspected group leader, a 44-year-old Romanian man, facing charges of unauthorized access and extortion.
Symantec Endpoint Management Suite Vulnerability Allows Malicious Code Execution Remotely
Key Takeaways
- CVE-2025-5333 (CVSS 9.5) affects Symantec Endpoint Management Suite 8.6.x-8.8, allowing unauthenticated remote code execution via port 4011.
- The vulnerability is due to insecure .NET object deserialization in the Altiris IRM component.
- To mitigate risk, block port 4011 on firewalls as it’s unnecessary for normal operations.
The vulnerability resides in the Symantec Altiris Inventory Rule Management component, targeting an exposed legacy .NET Remoting endpoint. The CVSS vector indicates network-accessible exploitation requiring no user authentication.
Broadcom’s PSIRT team confirmed that port 4011 is not required for standard operations. Immediate actions include verifying firewall configurations and implementing recommended security controls to prevent exploitation.
For further information on securing devices, explore resources on how to prevent ransomware attacks.
