QNAP warns of new Checkmate ransomware targeting NAS devices

Cindy F. Cape

Network-attached storage (NAS) vendor QNAP warned customers to secure their devices against attacks using Checkmate ransomware to encrypt data.

QNAP says the attacks are focused on Internet-exposed QNAP devices with the SMB service enabled and accounts with weak passwords that can easily be cracked in brute-force attacks.

“A new ransomware known as Checkmate has recently been brought to our attention,” the NAS maker said in a security advisory published Thursday.

“Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords.”

Checkmate is a recently discovered ransomware strain, first deployed in attacks around May 28, that appends a .checkmate extension to encrypted files and drops a ransom note named !CHECKMATE_DECRYPTION_README.

While there aren’t any reports on QNAP’s official forums or online social networks, victims have been sharing files locked using Checkmate ransomware in a dedicated BleepingComputer forum thread.

Based on ransom notes seen so far by BleepingComputer, the attackers ask victims to pay $15,000 worth of bitcoins to get a decryptor and a decryption key.

According to QNAP, the threat actors behind this campaign will remotely login into devices exposed to remote access with the help of accounts compromised in dictionary attacks.

After gaining access, they start encrypting files in shared folders (however, victim reports say that all the data is encrypted).

Checkmate ransom note
Checkmate ransom note (BleepingComputer)

How to block Checkmate ransomware attacks

The company warned customers not to expose their NAS devices to Internet access and to use VPN software to reduce the attack surface and block threat actors’ attempts to log in using compromised accounts.

QNAP users were also urged to review all their NAS accounts immediately and ensure they’re using strong passwords, back up their files, and take backup snapshots regularly to restore their data.

You should also disable SMB 1 by logging into QTS, QuTS hero, or QuTScloud, going to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking, and selecting “SMB 2 or higher” after clicking on Advanced Options.

QNAP recommends updating your NAS device’s firmware to the latest version by logging into QTS, QuTS hero, or QuTScloud as administrator, and hitting “Check for Update” under “Live Update” from Control Panel > System > Firmware Update.

“We are thoroughly investigating the case and will provide further information as soon as possible,” QNAP added in today’s advisory.

ech0raix ransomware is also targeting vulnerable QNAP NAS devices again since mid-June, according to user reports and ID Ransomware sample submissions.

QNAP also said last month that it’s ‘thoroughly investigating’ a new series of attacks pushing DeadBolt ransomware that started in early June.

This warning came after several other alerts QNAP issued this [1, 2, 3], urging customers to keep their devices up to date and avoid exposing them to Internet access.

https://www.bleepingcomputer.com/news/security/qnap-warns-of-new-checkmate-ransomware-targeting-nas-devices/

Next Post

India raids second Chinese mobile company this month

NEW DELHI (AP) — Indian investigators have raided an Indian subsidiary of Chinese smartphone maker Oppo, accusing it of evading customs duties totaling 43.9 billion rupees ($551 million), the government said Wednesday. The Enforcement Directorate, India’s financial crime investigation agency, said it sent a notice to the company seeking recovery […]