Lenovo NAS is in Wipe mode

LenovoEMC Iomega

A hacker group going by the name of ‘Cl0ud SecuritY’ is breaking into old LenovoEMC (formerly Iomega) network-attached storage (NAS) devices, wiping files, and leaving ransom notes

Attacks appear to have targeted only LenovoEMC/Iomega NAS devices that are exposing their management interface on the internet without a password.

ZDNet was able to identify around 1,000 such devices using a Shodan search.
Many of the NAS devices we found this way contained a ransom note named “RECOVER YOUR FILES !!!!.txt.”

All ransom notes were signed with the ‘Cl0ud SecuritY’ monicker and used the same “cloud@mail2pay.com” email address as the point of contact.

The recent attacks recorded over the past month appear to be a continuation of attacks that started last year, and which have also exclusively targeted LenovoEMC (formerly Iomega) NAS stations.

While last year’s attacks were not signed and used a different contact email, there are many similarities between the ransom note texts used in both 2019 and 2020 to believe the same threat actor is behind both attack waves.

The Cl0ud SecuritY hackers claim to have copied the victim’s files to their servers and threatened to leak files, usually if a ransom note is not paid within five days.

However, there is no evidence to suggest the data has been backed up anywhere, nor that any data from past victims has been leaked online anywhere over the past year.

Based on current evidence, the ransom notes appear to carry empty threats, and their role seems to be to scare victims into paying a ransom demand for data hackers have already wiped.

Lenovo has discontinued both the LenovoEMC and Iomega NAS lines in 2018, and the reason why we only identified around 1,000 devices still exposed online, as most NAS stations have reached their EOL long ago and have been decommissioned by many users.

The attacks on LenovoEMC/Iomega NAS devices are not the first that have targeted NAS devices in recent years. NAS devices have usually been targeted by DDoS malware, but also by ransomware gangs like Muhstik, QSnatch, and eCh0raix. The attacks on LenovoEMC/Iomega devices are extortion attempts and not ransomware attacks, as they have not encrypted any files, but rather wiped data and demanded a recovery fee.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s