Law Enforcement Shuts Down Diskstation Ransomware Group Targeting NAS Devices

Law enforcement agencies have dismantled the Diskstation ransomware group, a Romanian cybercriminal gang responsible for crippling the operations of multiple companies in Italy by encrypting their systems and demanding ransom payments.

The international operation—codenamed "Operation Elicius"—was led by Europol, with support from police forces in France and Romania.

Diskstation Malware: A Threat to Synology NAS Systems

The group specifically targeted Synology NAS (Network Attached Storage) devices—widely used by businesses for file storage, backups, disaster recovery, and collaborative content management.

Since 2021, Diskstation has been linked to attacks on NAS systems globally, operating under various aliases such as:

• DiskStation Security
• Quick Security
• LegendaryDisk Security
• 7even Security
• Umbrella Security

The hackers exploited internet-exposed NAS devices, encrypting files and demanding ransom payments ranging from $10,000 to over $500,000, typically in cryptocurrency.

Severe Disruption and Extortion

Victims experienced complete operational paralysis following the attacks.

“Companies suffered total disruption of their IT systems, halting production processes entirely. To resume operations and recover their data, victims were forced to pay substantial sums,” investigators said.

Among the impacted organizations were:

• Graphics and film production companies
• Event organizers
• International NGOs focused on civil rights and humanitarian work

Investigation and Arrests

The investigation was spearheaded by the Milan Prosecutor’s Office, which analyzed compromised systems and used blockchain forensics to trace ransom payments.

After several months of work, authorities identified multiple suspects, leading to coordinated raids in Bucharest in June 2024.

During the raids, police seized critical evidence and arrested individuals connected to the Diskstation operation.

A 44-year-old Romanian national is believed to be the group's leader and principal operator. He is currently in pretrial detention, facing charges including unauthorized access to computer systems and cyber extortion.

Key Takeaways

• Diskstation ransomware group dismantled in a Europol-led international operation
• Targeted Synology NAS devices, demanding ransoms between $10K and $500K+
• Victims included media companies, event organizers, and humanitarian NGOs
• Investigation used blockchain analysis to track crypto ransom payments
• Suspected ringleader arrested in Romania, awaiting trial for cyber extortion