Customers of network-attached storage (NAS) provider QNAP were advised to protect their equipment from cyberattacks employing the data-encrypting Checkmate ransomware. QNAP reveals that the attacks are concentrated on accounts with weak passwords that are easy targets for brute-force attacks and Internet-exposed QNAP devices with the SMB service activated.
“A new ransomware known as Checkmate has recently been brought to our attention,” said the NAS maker in a recently-released security advisory. “Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords.”
Checkmate is a newly identified ransomware strain that initially appeared in strikes around May 28. It encrypts files, adds a.checkmate suffix, and leaves a ransom letter with the name !CHECKMATE_DECRYPTION_README. The Checkmate ransomware has been used to encrypt data, and victims have been sharing these files in a dedicated forum post even though there aren’t any reports on QNAP’s own forums or online social networks.
According to ransom notes thus far, the attackers demand $15,000 in bitcoins from the victims in exchange for a decryptor and a decryption key. QNAP disclosed that the threat actors behind this effort would use accounts compromised by dictionary attacks to remotely enter devices vulnerable to remote access. They start encrypting files in shared folders once they get access (however, victim reports reveal that all the data is encrypted).
The company advised users to employ VPN software to decrease the attack surface and prevent threat actors from attempting to log in using hacked credentials. It also advised customers to avoid exposing their NAS machines to Internet access. Additionally, QNAP customers were instructed to evaluate their NAS accounts immediately, double-check that they’re using secure passwords, back up their files, and routinely create backup snapshots in case their data has to be restored.
You should further disable SMB 1 by entering into QTS, QuTS hero, or QuTScloud, heading to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking, and choosing “SMB 2 or higher” after clicking on Advanced Options. QNAP advises updating the firmware on your NAS device to the most recent version by entering into QTS, QuTS hero, or QuTScloud as administrator and selecting “Check for Update” under “Live Update” from Control Panel > System > Firmware Update.
“We are thoroughly investigating the case and will provide further information as soon as possible,” said QNAP in the latest advisory.
User complaints and ID Ransomware sample submissions indicate that the ech0raix ransomware has been attacking susceptible QNAP NAS machines once again since mid-June. QNAP also stated last month that it is “thoroughly investigating” a recent round of cyberattacks that began in early June and are aimed at spreading the DeadBolt ransomware. This warning followed many earlier alerts from QNAP advising users to keep their devices up to date and to keep them away from the Internet.