A hacker gang is wiping Lenovo NAS devices and asking for ransoms

Ransom notes signed by 'Cl0ud SecuritY' hacker group are being found on old LenovoEMC NAS devices.
Written by Catalin Cimpanu, Contributor
LenovoEMC Iomega

A hacker group going by the name of 'Cl0ud SecuritY' is breaking into old LenovoEMC (formerly Iomega) network-attached storage (NAS) devices, wiping files, and leaving ransom notes behind asking owners to pay between $200 and $275 to get their data back.

Attacks have been happening for at least a month, according to entries on BitcoinAbuse, a web portal where users can report Bitcoin addresses abused in ransomware, extortions, cybercrime, and other online scams.

Attacks appear to have targeted only LenovoEMC/Iomega NAS devices that are exposing their management interface on the internet without a password.

ZDNet was able to identify around 1,000 such devices using a Shodan search.


Many of the NAS devices we found this way contained a ransom note named "RECOVER YOUR FILES !!!!.txt."

All ransom notes were signed with the 'Cl0ud SecuritY' monicker and used the same "cloud@mail2pay.com" email address as the point of contact.

Image: ZDNet

The recent attacks recorded over the past month appear to be a continuation of attacks that started last year, and which have also exclusively targeted LenovoEMC (formerly Iomega) NAS stations.

While last year's attacks were not signed and used a different contact email, there are many similarities between the ransom note texts used in both 2019 and 2020 to believe the same threat actor is behind both attack waves.

In a phone call today, Victor Gevers, a security researcher with the GDI Foundation, told ZDNet he's been tracking the attacks for years and that these recent intrusions appear to be the work of an unsophisticated hacker.

Gevers said the hackers didn't rely on a complex exploit, targeted devices that were already wide open on the internet, and didn't bother encrypting the data.

The Cl0ud SecuritY hackers claim to have copied the victim's files to their servers and threatened to leak files, usually if a ransom note is not paid within five days.

However, there is no evidence to suggest the data has been backed up anywhere, nor that any data from past victims has been leaked online anywhere over the past year.

Based on current evidence, the ransom notes appear to carry empty threats, and their role seems to be to scare victims into paying a ransom demand for data hackers have already wiped.

Gevers told ZDNet today that attacks against LenovoEMC (Iomega at the time) NAS devices are not new and that he investigated incidents as far back as 1998.

Lenovo has discontinued both the LenovoEMC and Iomega NAS lines in 2018, and the reason why we only identified around 1,000 devices still exposed online, as most NAS stations have reached their EOL long ago and have been decommissioned by many users.

However, some NAS devices are still running, and luckily, a Lenovo support page on how to properly secure these types of devices is still available online for users seeking to secure their data.

The attacks on LenovoEMC/Iomega NAS devices are not the first that have targeted NAS devices in recent years. NAS devices have usually been targeted by DDoS malware, but also by ransomware gangs like Muhstik, QSnatch, and eCh0raix. The attacks on LenovoEMC/Iomega devices are extortion attempts and not ransomware attacks, as they have not encrypted any files, but rather wiped data and demanded a recovery fee.

The 15 top malware threats facing you and your organisation

Editorial standards