'Cl0ud SecuritY' Hacker Gang Is Wiping LenovoEMC NAS Devices and Asking for Ransom

Hackers have been targeting Network Attached Storage (NAS), which poses a risk for data backups usually stored on such devices. Recently, similar attacks were observed against LenovoEMC NAS devices.

LenovoEMC NAS devices targeted

According to entries on BitcoinAbuse, a web portal for reporting cyber-crime related Bitcoin addresses, attackers have been targeting old LenovoEMC (formerly Iomega) NAS devices, for at least a month.
  • In June, ZDNet researchers identified around 1000 such vulnerable LenovoEMC NAS devices using the Shodan search engine.
  • A hacker named 'Cl0ud SecuritY' launched attacks against old LenovoEMC NAS devices, wiping users' files, and leaving ransom notes demanding victims a payment between $200 and $275 to get their data back.
  • The hackers didn't rely on a complex exploit but targeted only LenovoEMC NAS devices that were already exposing their management interface on the internet without a password, and those which didn't bother encrypting their data.

A similar attack happened last year

The latest attack seems to be a continuation of attacks that started in July 2019 that also targeted LenovoEMC NAS devices.
  • Attackers deleted files on publicly accessible Lenovo Iomega NAS devices and left ransom notes demanding a payment of 0.01 to 0.05 BTC.
  • It is believed that the same threat actor is behind both attack waves.

What Lenovo says

Since 2018, Lenovo has discontinued the LenovoEMC and Iomega NAS devices. Still, Lenovo has urged such users to secure their data, via a post on a Lenovo Support page.

Recent attacks on other NAS Devices

NAS devices are used by many businesses to back up their data. They often have a web interface that can be accessed over the internet, which increases the chances of its exploitation.
  • In June, the eCh0raix ransomware gang also reportedly targeted QNAP NAS devices in a new wave of ransomware attacks.
  • Earlier in March, a new variant of Mirai malware, dubbed Mukashi, exploited a vulnerability (CVE-2020-9054) in Zyxel NAS devices.