Checkmate Ransomware Targets QNAP SMB Services
New Checkmate ransomware has been discovered targeting QNAP NAS devices. Although the attacks are still being investigated, it is known that these new ransomware attacks through SMB services are accessible via the internet.
Checkmate utilizes a dictionary attack to obtain weak passwords. Data encryption begins after the attacker logs in and successfully compromises the device. The ransomware uses AES and RSA algorithms, and the encrypted files have .checkmate extension.
Checkmate’s ransom note named!CHECKMATE_DECRYPTION_README is then included in each encrypted file.
QNAP published a security advisory on the subject, advising customers not to expose their SMB service to the internet.
Minimizing The Attack Surface
QNAP urgently advises taking the following actions if your NAS’s SMB service is accessible via the Internet:
Customers were urged not to connect their NAS machines to the Internet and to utilize VPN software to decrease the attack surface and prevent threat actors from logging in using compromised accounts. Details can be found here.
- Disabling SMB 1 by following the steps below:
- Log on to QTS, QuTS hero, or QuTScloud.
- Go to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking.
- Click Advanced Options.
- Next to the Lowest SMB version, select SMB 2 or higher.
- Click Apply.
- Upgrade your QNAP operating system to the most recent version.
- Log on to QTS, QuTS hero, or QuTScloud as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
The update can also be downloaded from the QNAP website. Follow the instructions for a manual update for your particular device under Support > Download Center.
- To ensure all passwords are strong enough, check all NAS accounts immediately.
- Take regular backups and snapshots of your data.
In recent years, QNAP has dealt with multiple ransomware groups attacking their products. The company is also still looking into the DeadBolt ransomware campaign, as stated on their DeadBolt security advisory. Some customers have reported DeadBolt ransomware attacks even on updated versions.
With SOCRadar® Free Edition, you’ll be able to:
- Prevent Ransomware attacks with Free External Attack Surface Management
- Get Instant alerts for fraudulent domains against phishing and BEC attacks
- Monitor Deep Web and Dark Net for threat trends
- Get vulnerability intelligence when a critical zero-day is disclosed
- Get IOC search & APT tracking & threat hunting in one place
- Get notified with data breach detection
Free for 12 months for one corporate domain and 100 auto-discovered digital assets.
Get Free Access.