Cybersecurity Breach: Synology Inc. Experiences Ransomware Attack by Underground Team

Incident Date:

May 4, 2024

World map

Overview

Title

Cybersecurity Breach: Synology Inc. Experiences Ransomware Attack by Underground Team

Victim

Synology

Attacker

Underground Team

Location

New Taipei City, Taiwan

, Taiwan

First Reported

May 4, 2024

Synology Hit by Underground Team Ransomware Attack

Overview of the Incident

Synology Inc., a renowned provider of network-attached storage solutions, has fallen victim to a ransomware attack orchestrated by a group known as the Underground Team. The cybercriminals managed to exfiltrate 51 GB of data from Synology's systems, which was subsequently published online, indicating a significant data breach.

Company Profile

Established in January 2000, Synology Inc., headquartered in Taiwan, is a prominent figure in the network-attached storage (NAS) sector. Renowned for its dependable, intuitive, and top-notch storage solutions such as DiskStation, FlashStation, and RackStation, Synology has cemented its position as a frontrunner in the industry. With a global footprint spanning the United States, China, France, and Germany, Synology operates with a workforce of approximately 650 employees worldwide under the leadership of CEO Philip Wong.

Details of the Ransomware Attack

The Underground Team ransomware is known for its 64-bit GUI-based application that employs various commands to disrupt systems, including deleting backups, modifying registry settings, and halting critical services like MSSQLSERVER. This particular attack on Synology involved the exfiltration of a substantial amount of data, which was fully published online, exposing sensitive information.

Potential Vulnerabilities and Attack Vectors

The Underground Team likely utilized sophisticated social engineering tactics to infiltrate Synology's systems. Common methods include phishing emails with malicious attachments or links to compromised websites, designed to appear legitimate to deceive employees into initiating the malware. Additionally, the ransomware could have been disguised as a legitimate software update or application, further tricking users into downloading and executing the malicious payload.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.