NAS devices in the firing line: After QNAP, Synology, Iomega devices attacked

Just days after Taiwan-based storage vendor firm Synology warned users of its network attached storage (NAS) devices of ransomware attacks, users of Iomega NAS devices are reporting their storage units are reporting they're under siege too. 

In a twist on ransomware, which typically encrypts data but leaves it on an affected device, the Iomega attackers claim to have encrypted victims’ files and moved them to a “safe location”. The attackers are asking for 0.01 to 0.05 BTC (USD$95 to USD$465) before they’ll give victims their data back.     

The attackers communicate the threat in a ransomware note left on files that were stored on affected Iomega devices. The switched files are labelled “YOUR FILES ARE SAFE!!!.txt”, according to victims reporting the issues on BleepingComputer’s user forums.

The current message warns that victims have until August 1, 2019, to pay the ransom or the files will be “gone for good”. 

The attackers provide victims with a unique ID that should be included in a comments section of the payment form or be emailed to the attacker at the address decryptiomega@protonmail.com. Users are told that after paying up they’ll receive a new file on the affected Iomega NAS device with a link to their stolen data.   

Protonmail, a privacy-focussed email service, was created by researchers at Swiss-based research institute CERN and is meant to offer a web-based email alternative to Google Gmail and Microsoft Outlook.

According to BleepingComputer, one variant of the ransom message threatens the stolen files will be sold on the dark web if the ransomware payment is not delivered. 

One BTC address where payments appear to be related to the Iomega campaign has netted the attacker about 0.2 BTC or $1,906, so far, from nine payments made since June 27. 

The supposedly “safe location” the files are being stored also appear to be hidden somewhere on the device’s drive, according to user accounts. 

BleepingComputer reports that a user claims to have been able to recover the hidden files using file recovery software after attaching the NAS to their PC via USB. 

Synology this week revealed that the contents of some NAS devices were being encrypted with ransomware due to brute-force password attacks.  

Synology NAS users were hit by a ransomware attack in 2014 with the SynoLocker ransomware, which demanded 0.6 BTC or about USD$350 to regain access to encrypted files. The 2014 attack exploited a flaw in Synology devices' Linux-based operating system whereas the new attack simply guessed passwords using dictionary lists.  

It’s not known how attackers are accessing Iomega NAS devices, but it’s fairly common for users to not properly secure internet-connected NAS devices. Synology, for example, urged users to enable the firewall and restrict publicly accessible ports, as well as enable two-step verification. 

Iomega NAS devices now fall under a joint venture between Chinese laptop maker, Lenovo, and enterprise storage player, EMC. 

The Register reported earlier this month that researchers using the Shodan.io internet-device search engine discovered almost a year ago that many Iomega NAS devices using legacy software were using a non-password-protected application protocol interface (API). 

Unbeknownst to users, the Iomega devices were leaking millions of files to anyone on the internet via an API designed to share files over the internet that could be accessed without a password. 

Researchers from European security company, Vertical Structure, used the security flaw to find 36 terabytes of data from Iomega NAS devices totaling over three million individual files. 

Lenovo has not provided a software update for the Iomega NAS issue, according to its software update page.