Hacking campaign is wiping Iomega NAS Devices exposed online

Experts warn of a new campaign carried out by threat actors that are wiping Iomega NAS devices exposed online.

Security experts are warning of a campaign carried out by attackers that are deleting files on publicly accessible Lenovo Iomega NAS devices.

Likely attackers use the Shodan search engine to find unprotected IOmega NAS exposed online and access them using the publicly accessible web interface.

Once wiped the devices, attackers will leave a ransom note asking for the payment of a ransom in Bitcoin. It is not clear if the attackers will give back the files to the victims after they have made the payment.

“In a topic in the BleepingComputer forums, users are reporting that all of the files on their Lenovo Iomega NAS devices have been deleted or hidden and a ransom note was left in their place.” reported BleepingComputer.  “This ransom note is named YOUR FILES ARE SAFE!!!.txt and state that the user’s files have been encrypted and moved to a safe location.”

Experts observed several notes that request the payment of different ransom amounts and have different messages.  Most of the notes request victims to pay an amount between 0.01 to 0.05 Bitcoin.

One of the ransom notes observed by the victims threaten them to sell their files on the dark web if the user does not make the payment

YOUR FILES HAVE BEEN ENCRYPTED AND MOVED TO A SAFE LOCATION. IF YOU NEED THEM BACK PLEASE SEND 0.01 BITCOIN TO THIS ADDRESS:
172bnrSX351TEEVrFJTPAA9ktBxfjnweLm
YOU HAVE UNTIL THE 15th OF AUGUST 2019 TO MAKE THE PAYMENT OR YOUR FILES WILL BE SOLD ON THE DARK WEB.
YOUR UNIQE ID IS: "xxx".
BE SURE TO INCLUDE IT IN THE PAYMENT COMMENTS, OR EMAIL ME THE CODE AND PAYMENT CONFIRMATION TO: decryptiega@protonmail.com
AFTER THE PAYMENT YOU WILL RECEIVE A NEW FILE ON YOUR FTP DEVICE WITH THE LINK TO YOUR DECRYPTED FILES.
THANK YOU FOR YOUR COOPERATION.

Unfortunately, some of the victims prefer to pay the ransom to get back their files. Analyzing one of the Bitcoin addresses associated with this campaign, the 13gMN3sJFxoLvoDzyGxq31sr4k9P2qqMDQ wallet, we can verify that at the time of writing 10 victims have paid the ransom.

BleepingComputer discovered that the files are being deleted by the attackers and hidden somewhere on the drive, this means that it is possible to recover them using file recovery software.

Some users reported difficulty using file recovery software with the NAS devices because they use ext2 filesystem.

Recently experts reported a series of attacks involving the eCh0raix ransomware that was targeting QNAP NAS devices.

QNAP published a security advisory to explain to its users how to secure their NAS devices.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – IOmega NAS, ransom)

[adrotate banner=”5″]

[adrotate banner=”13″]