DecryptIomega Ransomware

There are more and more ransomware threats coming to light each day as cyber crooks from all around the world are trying their luck in making a quick buck off the backs of innocent users. One of the newest ransomware threats that has surfaced the Internet is the DecryptIomega Ransomware.

Targets Lenovo NAS Devices

However, the DecryptIomega Ransomware is not your everyday boring ransomware threat. This threat is similar to the QNASCrypt Ransomware as it targets NAS (Network Attached Storage) devices. For now, the DecryptIomega Ransomware appears to specifically go after NAS devices that are produced by the large Chinese company Lenovo. Some malware researchers speculate that the DecryptIomega Ransomware may be exploiting a bug that was found in the software of the NAS devices. Others believe that the attackers may be using alternative attack methods such as exploiting unsecured Remote Desktop Protocol services and software.

NAS Devices Left Empty

Upon further inspection, cybersecurity experts found that the DecryptIomega Ransomware does not leave the locked files on the device. In fact, the NAS devices affected by the DecryptIomega Ransomware seem to be left completely empty after the attack has taken place. In the ransom note of the DecryptIomega Ransomware, the attackers state that the encrypted files have been transferred to a ‘safe’ location and if the user wants them back and unlocked, they will have to pay 0.03 Bitcoin (~$300 at the time of typing this post). The ransom note is called ‘YOUR FILES ARE SAFE!!!.txt’ and reads:

’YOUR FILES HAVE BEEN ENCRYPTED AND MOVED TO A SAFE LOCATION. IF YOU NEED THEM BACK PLEASE SEND 0.03 BITCOIN TO THIS ADDRESS:
1GMwS2BgKbfHxZBGk4n3uy5GGevS4DtB1M
YOU HAVE UNTIL THE 1st OF AUGUST 2019 TO MAKE THE PAYMENT OR YOUR FILES WILL BE GONE FOR GOOD.
YOUR UNIQE ID IS: "---".
BE SURE TO INCLUDE IT IN THE PAYMENT COMMENTS, OR EMAIL ME THE CODE AND PAYMENT CONFIRMATION TO: decryptiomega@protonmail.com
AFTER THE PAYMENT YOU WILL RECEIVE A NEW FILE ON YOUR NAS DEVICE WITH THE LINK TO YOUR DECRYPTED FILES.
THANK YOU FOR YOUR COOPERATION.’

However, there is no proof that the data has not been simply wiped off and that paying the ransom fee will result in you restoring any of your data. The attackers provide two email addresses where you can contact them for further information – ‘decryptiomega@protonmail.com’ and ‘iomega@firemail.cc.’

Often, NAS devices are used for storing important data, sometimes by large companies and such institutions tend to backup such sensitive information so they would be able to recover the lost data without having to pay the sum demanded. Some users, however, overlook the importance of backing up one’s data and may be in a much stickier situation here.

We would not recommend you to pay up. There is absolutely no guarantee that the attackers have securely stored your data or that they are able to decrypt it if they have it on their servers. A safer approach is to use a reputable anti-malware application to remove the DecryptIomega Ransomware from your system. Then, you can search for third-party data-recovery software, which may help you get back some of the files lost.