Security Affairs
U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hacking campaign is wiping Iomega NAS Devices exposed online

Experts warn of a new campaign carried out by threat actors that are wiping Iomega NAS devices exposed online. Security experts are warning of a campaign carried out by attackers that are deleting files on publicly accessible Lenovo Iomega NAS devices. Likely attackers use the Shodan search engine to find unprotected IOmega NAS exposed online […]

IOmega NAS devices flaw 3

Experts warn of a new campaign carried out by threat actors that are wiping Iomega NAS devices exposed online.

Security experts are warning of a campaign carried out by attackers that are deleting files on publicly accessible Lenovo Iomega NAS devices.

Likely attackers use the Shodan search engine to find unprotected IOmega NAS exposed online and access them using the publicly accessible web interface.

Once wiped the devices, attackers will leave a ransom note asking for the payment of a ransom in Bitcoin. It is not clear if the attackers will give back the files to the victims after they have made the payment.

“In a topic in the BleepingComputer forums, users are reporting that all of the files on their Lenovo Iomega NAS devices have been deleted or hidden and a ransom note was left in their place.” reported BleepingComputer.  “This ransom note is named YOUR FILES ARE SAFE!!!.txt and state that the user’s files have been encrypted and moved to a safe location.”

IOmega NAS wiper

Experts observed several notes that request the payment of different ransom amounts and have different messages.  Most of the notes request victims to pay an amount between 0.01 to 0.05 Bitcoin.

One of the ransom notes observed by the victims threaten them to sell their files on the dark web if the user does not make the payment

YOUR FILES HAVE BEEN ENCRYPTED AND MOVED TO A SAFE LOCATION. IF YOU NEED THEM BACK PLEASE SEND 0.01 BITCOIN TO THIS ADDRESS:
172bnrSX351TEEVrFJTPAA9ktBxfjnweLm
YOU HAVE UNTIL THE 15th OF AUGUST 2019 TO MAKE THE PAYMENT OR YOUR FILES WILL BE SOLD ON THE DARK WEB.
YOUR UNIQE ID IS: "xxx".
BE SURE TO INCLUDE IT IN THE PAYMENT COMMENTS, OR EMAIL ME THE CODE AND PAYMENT CONFIRMATION TO: decryptiega@protonmail.com
AFTER THE PAYMENT YOU WILL RECEIVE A NEW FILE ON YOUR FTP DEVICE WITH THE LINK TO YOUR DECRYPTED FILES.
THANK YOU FOR YOUR COOPERATION.

Unfortunately, some of the victims prefer to pay the ransom to get back their files. Analyzing one of the Bitcoin addresses associated with this campaign, the 13gMN3sJFxoLvoDzyGxq31sr4k9P2qqMDQ wallet, we can verify that at the time of writing 10 victims have paid the ransom.

IOmega NAS wiper 2

BleepingComputer discovered that the files are being deleted by the attackers and hidden somewhere on the drive, this means that it is possible to recover them using file recovery software.

Some users reported difficulty using file recovery software with the NAS devices because they use ext2 filesystem.

Recently experts reported a series of attacks involving the eCh0raix ransomware that was targeting QNAP NAS devices.

QNAP published a security advisory to explain to its users how to secure their NAS devices.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – IOmega NAS, ransom)

[adrotate banner=”5″]

[adrotate banner=”13″]