A new ransomware strain known as Checkmate has recently come to the attention of Taiwanese vendor QNAP, and early research suggests that it is targeting NAS machines with SMB services that are accessible via the internet. SMB is a communication protocol that allows nodes on a network of devices to exchange access to files.
Objectives:
The ransomware adds the .checkmate extension to the filenames of encryption keys and leaves an extortion letter with the name !CHECKMATE DECRYPTION README on the compromised devices.
According to a report by BleepingComputer, some forum users claimed to have contracted the Checkmate ransomware in June. For a decryptor and a decryption key, the hackers want payment from the victims in bitcoins worth $15,000 each.
The malicious actors behind this campaign, according to QNAP, will use accounts compromised by dictionary assaults to remotely log in to devices that are vulnerable to remote access. After getting access, they begin encrypting files in shared folders, although according to victim claims, all the data is encrypted.
Resist ransomware threats
The company advised users to utilize VPN software to decrease the attack surface and prevent threat actors from attempting to log in using hacked credentials. It also advised customers to avoid exposing their NAS machines to Internet access.
Additionally, QNAP users were instructed to evaluate all of their NAS accounts right away, double-check that they're using strong passwords, back up their files, and often create backup snapshots in case their data needs to be restored.
Taking away SMB 1
- Visit QTS, QuTS hero, or QuTScloud and log in.
- Go to Win/Mac/NFS/WebDAV > Microsoft Networking under Control Panel > Network & File.
- Then select Advanced Options.
- The window for Advanced Options appears.
- Select SMB 2 or higher next to the Lowest SMB version.
QTS, QuTS hero, or QuTScloud updates
- Register as an administrator on QTS, QuTS Hero, or QuTScloud.
- Go to System > Firmware Update in the Control Panel.
- Click Check for Update under Live Update.
The most recent update is downloaded and installed by QTS, QuTS hero, or QuTScloud.
Additionally, QNAP stated last month that it is "thoroughly researching" a recent round of attacks that began in early June and are aimed at spreading the DeadBolt ransomware.
In the past two years, a wave of ransomware assaults has targeted QNAP NAS users, leading the vendor to publish several alerts and urgent updates, and even encourage for end-of-life hardware.