Authorities have broken up a Romania-based crew that had been quietly locking down network storage systems in Italy’s Lombardy region. The attackers targeted outdated NAS devices, cutting off company access to key files and forcing operations to come to a halt.
Known to investigators as “Diskstation,” the group concentrated on compromising Synology-based Network Attached Storage devices, commonly used by organizations for data redundancy, archival, and shared access environments. Attackers encrypted system-level files, locking companies out of key assets and demanding sizable payments in cryptocurrency.
The operation, code-named Elicius, was jointly led by Europol along with police forces from Romania and France. Victims included media production firms, nonprofit entities, and event service providers—sectors that rely heavily on constant digital availability.
Diskstation kept shifting its name. At different points, they operated under labels like Quick Security, 7even Security, or LegendaryDisk. It was all smoke and mirrors, likely aimed at keeping investigators off track. Their targets were usually NAS units directly reachable from the internet. Devices with outdated software or no real access limits stood no chance. Once breached, files were locked up, and systems couldn’t function.
Afterward, ransom notes would turn up. No long explanations—just the demand. Some started around ten thousand dollars. Others ran much higher. Investigators later traced crypto flows tied to the payments. Bit by bit, the movement of those transactions circled back to actors operating out of Romania.
Police carried out several searches in Bucharest during June 2024. In one location, investigators found live systems connected to the campaign, along with digital traces suggesting continued coordination behind the scenes. A man believed to be in his mid-forties was taken into custody on site. He now faces legal action for unauthorized access to computing systems and demands tied to digital ransom activity.
On the defense side, specialists continue to emphasize the importance of properly configured NAS environments. That includes isolating access, shutting off unnecessary protocols, and keeping firmware fully up to date.
That includes turning off unused services, limiting exposure through private network access, and staying on top of firmware and patch updates to prevent similar compromise paths.
