This hacker group is attacking Lenovo NAS devices and asking for a ransom

According to cybersecurity specialists, a group of hackers self-appointed as “Cl0ud SecuritY” is accessing old LenovoEMC (formerly Iomega) network connected storage (NAS) devices, aiming to delete files and leave ransom notes asking admins to pay them between $200 USD and $275 USD to recover access to their data.

The attacks have been reported for a couple of weeks, assures BitcoinAbuse, a platform where users can report compromised Bitcoin addresses being used for ransomware attacks, phishing campaigns and other fraud variants. The attacks seem to be targeting only at LenovoEMC and Iomega NAS implementations, which are exposing their management interface on the Internet without a password.

Lots of the NAS devices found with Shodan Internet scans contained a ransom note saying “RECOVER YOUR FILES!!!!.TXT”. All ransom notes related to this campaign are signed by Cl0ud SecuritY and include the same email address that was used as the contact form (

Attacks recorded over the last weeks appear to be a second stage of the attacks that started during 2019 and have also been targeted exclusively at LenovoEMC NAS stations. Although last year’s attacks were unsigned and no email address was used to contact the hackers, there are lots of similarities between the ransom notes used in both campaigns, so cybersecurity specialists consider the same hacker is behind the two attacks.

According to researcher Victor Gevers, he and his team have been tracking such attacks for years, so they think the recent intrusions are a sample of how sophisticated this malicious actor has become. Gevers added that attackers did not trust a complex feat, as they are targeted devices that were already open on the Internet and did not bother to encrypt the data.

Cl0ud SecuritY hackers claim to have copied the victim’s files to their servers and threatened to leak the files, usually in case the ransom is not paid within five days. However, there is no evidence that the data has been backed up anywhere, nor is there data from previous victims who have made the payment. Gevers also said that attacks on LenovoEMC NAS devices are not new and investigated the incidents since 1998.