Full Report
An international law enforcement action dismantled a Romanian ransomware gang known as 'Diskstation,' which encrypted the systems of several companies in the Lombardy region, paralyzing their businesses. [...]
Analysis Summary
# Incident Report: Police Disruption of "Diskstation" Ransomware Gang
## Executive Summary
Law enforcement agencies, led by the Milan Prosecutor's Office, successfully disrupted the "Diskstation" ransomware group which targeted Network Attached Storage (NAS) devices, notably Synology DiskStation units. Victims, including NGOs, graphic firms, and event organizers, suffered operational shutdowns until a substantial ransom in cryptocurrency was paid. The response culminated in international raids in June 2024, leading to the arrest of a primary suspect suspected of operating the extortion scheme.
## Incident Details
- Discovery Date: Unknown, but incidents were reported to the police over time, leading to investigation.
- Incident Date: Ongoing campaign occurring prior to June 2024.
- Affected Organization: Multiple organizations, including graphic and film production firms, event organizers, and international NGOs (civil rights and charity work).
- Sector: Various (Media/Production, Event Management, Non-Profit/Charity).
- Geography: Investigation led in Italy (Milan Prosecutor's Office), raids conducted in Romania (Bucharest).
## Timeline of Events
### Initial Access
- Date/Time: Ongoing, prior to June 2024.
- Vector: Exploitation of unpatched vulnerabilities or weak configurations on NAS devices (implied due to the target being "Diskstation" ransomware).
- Details: Attackers gained unauthorized access to NAS devices, commonly used for data storage.
### Lateral Movement
- Details: Not explicitly detailed, but successful encryption implies the attackers gained sufficient control over the compromised NAS systems.
### Data Exfiltration/Impact
- Details: Attackers encrypted the data stored on the targeted NAS devices, causing a complete loss of access to organizational data. Victims were forced to pay a substantial ransom in cryptocurrency to regain access.
### Detection & Response
- Date/Time: Investigations intensified leading up to June 2024.
- Details: Victims reported incidents to the police. Investigations utilized forensic analysis of compromised systems and blockchain analysis to trace ransom payments. International law enforcement executed raids in Bucharest in June 2024 based on evidence gathered.
## Attack Methodology
- Initial Access: Unauthorized access to NAS devices (Implied vulnerability exploitation or weak security).
- Persistence: Not detailed, presumed established to deploy ransomware payload.
- Privilege Escalation: Not detailed, but necessary to execute ransomware encryption.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Not detailed in the provided text.
- Collection: Data on NAS devices was targeted for encryption.
- Exfiltration: Not explicitly mentioned as a primary step, but data access was denied through encryption.
- Impact: Extortion via ransomware deployment, leading to data unavailability and operational disruption.
## Impact Assessment
- Financial: Victims incurred costs through ransom payments (substantial) and operational downtime.
- Data Breach: Data loss/unavailability due to encryption. Type of data is specific to the sector (e.g., client information, media assets, operational data).
- Operational: Significant operational disruption reported until the ransom was paid, affecting production firms, organizers, and NGOs.
- Reputational: Impact likely significant for NGOs and civil rights organizations reliant on public trust.
## Indicators of Compromise
- Network indicators: N/A (specific IPs/URLs not provided).
- File indicators: Ransomware payload used against DiskStation/NAS systems is the primary indicator.
- Behavioral indicators: Unauthorized encryption of NAS storage volumes, demands for cryptocurrency ransom payments.
## Response Actions
- Containment measures: Not explicitly detailed, but implied that law enforcement action stopped the gang's operations.
- Eradication steps: Identification and arrest of suspects, disruption of the criminal infrastructure.
- Recovery actions: Victims regained access after paying ransoms, though the article focuses more on the prosecution aspect.
## Lessons Learned
- Key takeaways: Attackers successfully targeted vulnerable NAS devices to achieve high impact quickly. Blockchain analysis is a viable method for tracing illicit financial flows from ransomware groups.
- What could have been done better: Victims could have mitigated risk by implementing strong security hygiene on their NAS devices.
## Recommendations
- Prevention measures for similar incidents:
1. **Firmware Updates:** Ensure NAS devices run the latest available firmware versions.
2. **Service Hardening:** Turn off all unnecessary services (e.g., Telnet, rsync, UPnP).
3. **Network Segmentation:** Do not expose NAS devices directly to the internet.
4. **Access Control:** Restrict NAS access exclusively through secure VPN connections.