An international law enforcement action dismantled a Romanian ransomware gang known as 'Diskstation,' which encrypted the systems of several companies in the Lombardy region, paralyzing their businesses. The ransomware operation targeted Synology Network-Attached Storage (NAS) devices, commonly used by companies for centralized file storage and sharing, data backup and recovery, and general content hosting. The attacks demanded ransom payments ranging from $10,000 to hundreds of thousands of dollars, causing severe systems outages and business disruption. Victims included graphic and film production firms, event organizers, and international NGOs.
TPRM report: https://www.rankiteo.com/company/jtwofilms
"id": "jtw759071625",
"linkid": "jtwofilms",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': ['Graphic and film production',
'Event organization',
'Civil rights and charity'],
'location': 'Lombardy region',
'name': ['Graphic and film production firms',
'Event organizers',
'International NGOs'],
'type': ['Private companies', 'NGOs']}],
'attack_vector': 'Internet-exposed NAS devices',
'data_breach': {'data_encryption': 'Yes',
'type_of_data_compromised': 'Encrypted data on IT systems'},
'date_publicly_disclosed': 'June 2024',
'date_resolved': 'June 2024',
'description': 'An international law enforcement action dismantled a Romanian '
"ransomware gang known as 'Diskstation,' which encrypted the "
'systems of several companies in the Lombardy region, '
'paralyzing their businesses.',
'impact': {'data_compromised': 'Encrypted data on IT systems',
'downtime': 'Complete paralysis of production processes',
'operational_impact': 'Severe systems outages and business '
'disruption',
'systems_affected': 'NAS devices'},
'initial_access_broker': {'entry_point': 'Internet-exposed NAS devices'},
'investigation_status': 'Arrests made and pre-trial detention',
'lessons_learned': 'Ensure NAS devices run the latest available firmware, '
'turn off unnecessary services, do not expose them to the '
'internet, and restrict access to VPNs.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Ensure NAS devices run the '
'latest available firmware, '
'turn off unnecessary '
'services, do not expose '
'them to the internet, and '
'restrict access to VPNs.',
'root_causes': 'Internet-exposed NAS devices'},
'ransomware': {'data_encryption': 'Yes',
'ransom_demanded': ['$10,000',
'hundreds of thousands of dollars'],
'ransomware_strain': 'Diskstation'},
'recommendations': 'Ensure NAS devices run the latest available firmware, '
'turn off unnecessary services, do not expose them to the '
'internet, and restrict access to VPNs.',
'references': [{'source': 'BleepingComputer'}],
'regulatory_compliance': {'legal_actions': 'Charges for unauthorized access '
'to computer systems and '
'extortion'},
'response': {'law_enforcement_notified': 'Yes',
'third_party_assistance': 'Europol, French and Romanian police '
'forces'},
'threat_actor': 'Diskstation ransomware gang',
'title': 'Diskstation Ransomware Incident',
'type': 'Ransomware',
'vulnerability_exploited': 'Exposed NAS devices'}