LenovoEMC NAS, or network-attached storage devices are currently being targeted by ransomware threat actors who wipe their files and demand a ransom of about $200 – $275 to restore the data. Data from BitcoinAbuse, a portal where Bitcoin addresses used in ransomware and cybercrime are reported, shows that this Cl0ud SecuritY campaign has been going for at least a month.
Primary targets of the attackers are LenovoEMC NAS devices that have their management interface exposed on the internet without a password. According to a Shodan search, there are approximately 1,000 such devices, ZDNet says. Some of the NAD devices that were found by the security researchers contained a ransom note dubbed RECOVER YOUR FILES!!!!.txt, signed by the Cl0ud SecuritY hackers who left the following email for contact:
This is not the first campaign targeting the same brand of NAS devices. Last year another campaign targeted LenovoEMC and although it wasn’t signed and had a different email address, researchers believe it was coined by the same group.
Attacks against LenovoEMC NAS devices carried out by unsophisticated criminals
According to security researcher Victor Gevers from the GDI Foundation, such attacks have been going on for years, with the recent intrusions most likely coming from an unsophisticated hacker group. In a conversation with ZDNet, the researcher shared that these hackers rely on a simple exploit and are targeting devices that already exposed to the internet.
Even though the Cl0ud SecuritY hackers are claiming they have copied the victim’s files to their servers and threating to leak them, researchers have discovered no evidence supporting these claims. In other words, this makes the threats made in the ransom note insufficient.
It is also important to note that Lenovo has officially discontinued LenovoEMC devices in 2018 which probably explains why the number of discovered devices is not more than a thousand.
In July 2019, an attack campaign was set against QNAP NAS devices owned by both end users and enterprise users. The malware which was used against them was the Linux-based eCh0raix ransomware. The attack also used a blacklist which would stop the infection if the victim’s device was located in Belarus, Ukraine or Russia.