Attackers are deleting files on Iomega NAS devices and demanding ransom

• The attackers behind this campaign are demanding a ransom between 0.01 and 0.05 bitcoins.
• The bitcoin address associated with this campaign has received a total of 9 payments since June 27, 2019.

Attackers are deleting files on publicly accessible Lenovo Iomega NAS devices and leaving ransom notes asking for a ransom payment in bitcoins.

Contents of ransom note

• This ransom note is named 'YOUR FILES ARE SAFE!!!.txt'.
• The ransom note states that users' files have been encrypted and moved to a safe location.
• The ransom note then goes on to say that if users do not pay the ransom in bitcoins, the encrypted files will be “Gone for Good”.
• Another variant of a ransom note states that if users do not pay the ransom, the files will be sold on the dark web.
• The attackers behind this are demanding a ransom between 0.01 and 0.05 bitcoins.

“YOUR FILES HAVE BEEN ENCRYPTED AND MOVED TO A SAFE LOCATION. IF YOU NEED THEM BACK PLEASE SEND 0.03 BITCOIN TO THIS ADDRESS: 13gMN3sJFxoLvoDzyGxq31sr4k9P2qqMDQ
YOU HAVE UNTIL THE 1st OF AUGUST 2019 TO MAKE THE PAYMENT OR YOUR FILES WILL BE GONE FOR GOOD.
YOUR UNIQE ID IS: "xxx".
BE SURE TO INCLUDE IT IN THE PAYMENT COMMENTS, OR EMAIL ME THE CODE AND PAYMENT CONFIRMATION TO: iomega@cock[.]li
AFTER THE PAYMENT YOU WILL RECEIVE A NEW FILE ON YOUR NAS DEVICE WITH THE LINK TO YOUR DECRYPTED FILES.
THANK YOU FOR YOUR COOPERATION,” the ransom note read, BleepingComputer reported.

The bitcoin address associated with this ransom note has received a total of 9 payments since June 27, 2019.

How do attackers gain access to NAS devices?

BleepingComputer analyzed and determined that unsecured Iomega devices have publicly accessible front ends which will allow anyone to remotely access the files. If not properly secured, this web interface could also allow a remote user to upload and delete files and folders from the NAS devices.

Possible recovery of files

In conversations with victims, BleepingComputer learned that the files are being deleted rather than being encrypted and hidden somewhere on the drive. A few victims reported difficulty in recovering the deleted files as the NAS devices are with ext2 filesystems.

However, one victim noted that he has used file recovery software and successfully recovered the deleted files by attaching the NAS device to his PC via a USB port.