Hacking campaign is wiping Iomega NAS Devices exposed online

Experts warn of a new campaign carried out by threat actors that are wiping Iomega NAS devices exposed online.

Security experts are warning of a campaign carried out by attackers that are deleting files on publicly accessible Lenovo Iomega NAS devices.

Likely attackers use the Shodan search engine to find unprotected IOmega NAS exposed online and access them using the publicly accessible web interface.

Once wiped the devices, attackers will leave a ransom note asking for the payment of a ransom in Bitcoin. It is not clear if the attackers will give back the files to the victims after they have made the payment.

“In a topic in the BleepingComputer forums, users are reporting that all of the files on their Lenovo Iomega NAS devices have been deleted or hidden and a ransom note was left in their place.” reported BleepingComputer. “This ransom note is named YOUR FILES ARE SAFE!!!.txt and state that the user’s files have been encrypted and moved to a safe location.”

Experts observed several notes that request the payment of different ransom amounts and have different messages. Most of the notes request victims to pay an amount between 0.01 to 0.05 Bitcoin.

One of the ransom notes observed by the victims threaten them to sell their files on the dark web if the user does not make the payment

YOUR FILES HAVE BEEN ENCRYPTED AND MOVED TO A SAFE LOCATION. IF YOU NEED THEM BACK PLEASE SEND 0.01 BITCOIN TO THIS ADDRESS:
172bnrSX351TEEVrFJTPAA9ktBxfjnweLm
YOU HAVE UNTIL THE 15th OF AUGUST 2019 TO MAKE THE PAYMENT OR YOUR FILES WILL BE SOLD ON THE DARK WEB.
YOUR UNIQE ID IS: "xxx".
BE SURE TO INCLUDE IT IN THE PAYMENT COMMENTS, OR EMAIL ME THE CODE AND PAYMENT CONFIRMATION TO: decryptiega@protonmail.com
AFTER THE PAYMENT YOU WILL RECEIVE A NEW FILE ON YOUR FTP DEVICE WITH THE LINK TO YOUR DECRYPTED FILES.
THANK YOU FOR YOUR COOPERATION.

Unfortunately, some of the victims prefer to pay the ransom to get back their files. Analyzing one of the Bitcoin addresses associated with this campaign, the 13gMN3sJFxoLvoDzyGxq31sr4k9P2qqMDQ wallet, we can verify that at the time of writing 10 victims have paid the ransom.

BleepingComputer discovered that the files are being deleted by the attackers and hidden somewhere on the drive, this means that it is possible to recover them using file recovery software.

Some users reported difficulty using file recovery software with the NAS devices because they use ext2 filesystem.

Recently experts reported a series of attacks involving the eCh0raix ransomware that was targeting QNAP NAS devices.

QNAP published a security advisory to explain to its users how to secure their NAS devices.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – IOmega NAS, ransom)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.