In a significant victory against cybercrime, a coordinated international law enforcement operation, codenamed “Operation Elicius,” has successfully dismantled a Romanian ransomware gang known as “Diskstation.” The group specialized in targeting Network-Attached Storage (NAS) devices, particularly those manufactured by Synology, causing widespread disruption to businesses and non-profit organizations worldwide.
The investigation, led by Europol in collaboration with French and Romanian authorities, uncovered a sophisticated cybercriminal operation that had been active since 2021. The Diskstation group focused its efforts on compromising internet-exposed NAS devices to deploy ransomware and extort victims by encrypting critical data.
Modus Operandi
Operating under names such as “DiskStation Security,” “Quick Security,” “LegendaryDisk Security,” “7even Security,” and “Umbrella Security,” the gang infiltrated vulnerable NAS systems by leveraging security flaws and poor configuration practices. Once access was gained, the victim’s data was encrypted, rendering their NAS devices inoperable. The attackers demanded ransom payments ranging from $10,000 to several hundred thousand dollars in cryptocurrency in exchange for decryption keys.
Industries targeted included graphic and film production companies, event planning businesses, and international NGOs—many of which suffered significant operational disruptions during the attacks. Notably, some victims were located in the Lombardy region of Italy, a key economic hub.
Law Enforcement Response
Following extensive forensic analysis of compromised systems and cryptocurrency transactions, investigators identified several suspects involved in the operation. In June 2024, Romanian police executed multiple search warrants in Bucharest. These actions led to the arrest of a 44-year-old Romanian national, believed to be one of the primary figures behind the ransomware campaign. He now faces charges including unauthorized access to information systems and extortion.
Europol played a central role in coordinating intelligence sharing between member states and supported the on-site operations with forensic experts and cybersecurity analysts.
Advisory for NAS Device Users
In the wake of these events, cybersecurity agencies strongly advise NAS users—particularly small and medium-sized businesses (SMBs)—to review their security practices. Recommended precautions include:
- Regular firmware updates to mitigate vulnerabilities
- Disabling unnecessary network services such as Telnet, FTP, and UPnP
- Restricting remote access using VPNs
- Enforcing strong access credentials and multi-factor authentication
- Implementing regular, immutable backups to ensure data recovery
