Edition Zdnet drew attention to user complaints appearing on the BitcoinAbuse website, where they report on bitcoin addresses used by ransomware, scammers and all kinds of cybercriminals.
As it turned out, about a month ago, the Cl0ud SecuritY group began to hack into old LenovoEMC network drives (formerly Iomega). Attackers erase all files from them and leave a ransom note in the amount of 200 to 275 US dollars.
Let me remind you that Lenovo stopped working on the LenovoEMC and Iomega NAS lines in 2018, and most of the network drives in these series are no longer supported and have long served their purpose.
Apparently, the attacks are aimed only at unprotected LenovoEMC devices that are accessible via the Internet without passwords. Journalists were able to detect about 1000 of these devices using the Shodan IoT search engine. Moreover, many of these NAS have already been attacked and contain a ransom note – the RECOVER YOUR FILES !!!!. Txt file.
All extortion messages are signed by Cl0ud SecuritY and also contain an email address email@example.com.
Cl0ud SecuritY claimed that they had copied the victim’s files to their servers before uninstallation and threatened to publish them openly if the ransom was not paid within five days. However, there is no evidence that the data of the victims were actually stored somewhere, and the specialists are not aware of the precedents for publishing such information in the public domain. It seems that the attackers are simply trying to intimidate their victims, while user information has already been completely and irreversibly destroyed.
This malware campaign seems to be a continuation of last year's series of attacks on Iomega and Synology NAS. Although hackers did not sign their messages like Cl0ud SecuritY last year, but also used a different email address, the ransom note text is very similar and suggests the same people are behind these incidents.