Checkmate ransomware hits QNAP NAS devices
QNAP Systems is warning about Checkmate, a new piece of ransomware targeting users of its network-attached storage (NAS) appliances.
“Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords,” the company says.
“Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name ‘!CHECKMATE_DECRYPTION_README’ in each folder.”
About Checkmate
This particular ransomware has been documented in late May 2022, but it seems that it hasn’t succeeded in spreading widely, since QNAP is only now addressing the issue.
At the beginning of June, some affected users took to Bleeping Computer’s online forum to ask whether anyone could help them to restore the encrypted or deleted files.
In the ransom message, the team behind the malware asks for $15,000 USD in bitcoin, and for the victims to contact them via Telegram. They offer to decrypt three files for the victims to prove that the decryption program they use works.
Unfortunately, there is no publicly available decryptor for files encrypted by Checkmate, and there is no guarantee victims will receive the decryption program even if the pay the hefty ransom.
QNAP NAS owners that have not been hit by the Checkmate ransomware are advised not to expose SMB service to the internet, to reduce NAS service exposure to the internet, to disable SMB1, and update their QNAP operating system to the latest version.
They should also review all NAS accounts to ensure all passwords are strong enough to withstand dictionary and similar attacks, and back up their data and take snapshots regularly.
Ransomware attackers love NAS devices
NAS devices – whether manufactured by QNAP or other companies like Synology, Western Digital, Zyxel and others – are regularly targeted with ransomware and bitcoin miners.
A few weeks ago QNAP warned users about new DeadBolt and ech0raix ransomware campaigns.
Attackers often take advantage of users’ poor password choices, but also of known and zero-day vulnerabilities to comandeer the devices.