[German]Taiwanese manufacturer QNAP has issued a warning as of July 7, 2022 that a new Checkmate ransomware attacks its NAS units via SMB services accessible via the Internet. Presumably, weak passwords will then have their credentials cracked via brute-force attack and the volumes will then be encrypted. The first cases seem to have occurred as early as June 2022.
Advertising
QNAP warning
The warning can be found in QNAP Advisory QSA-22-21 Checkmate Ransomware via SMB Services Exposed to the Internet. Currently not too much is known, QNAP is still investigating the incidents. QNAP shares the following assumption in the advisory:
Recently, we were made aware of a new ransomware called Checkmate. According to preliminary research, Checkmate attacks via SMB services exposed to the Internet and uses a dictionary attack to crack accounts with weak passwords. Once the attacker successfully logs into a device, it encrypts data in shared folders and leaves a ransom note in each folder with the filename "!CHECKMATE_DECRYPTION_README."
The company plans to provide more information as soon as possible, but is currently probably still investigating whether a vulnerability might be exploited.
Victims post in June 2022 in forums
The colleagues at Bleeping Computer, who report on the advisory here, refer to their own forum, where victims of the ransomware have already reported a case in early June 2022.
Hi!
I need some help wit new (I believe) ransomware, which encrypt files on QNAP storage of my clients. Ransom puts .checkmate file extension.[…]
………
You was hacked by CHECKMATE team.All your data has been encrypted, backups have been deleted.
Your unique ID: bc75c72[edited]
You can restore the data by paying us money.
We have encrypted 267183 office files.
We determine the amount of the ransom from the number of encrypted office files.
The cost of decryption is 15000 USD.
Payment is made to a unique bitcoin wallet.
Before paying, you will be able to make sure that we can actually decrypt your files.
For this:
1) Download and install Telegram Messenger *ttps://telegram.org/
2) Find us *ttps://t.me/checkmate_team
3) Send a message with your unique ID and 3 files for test decryption. Files should be no more than 15mb each.
4) In response, we will send the decrypted files and a bitcoin wallet for payment. Bitcoin wallet is unique for you, so we can find out what you paid.
5) After the payment is received, we will send you the key and the decryption program.
Below is a picture of an encrypted folder. The demand of 15,000 US dollars seems quite steep to me – not many victims will be able or willing to pay.
Files encrypted by Checkmate Ransomware
Advertising
Recommended countermeasures
Vendor QNAP recommends making sure that the SMB service of the NAS devices is not accessible via the Internet. Those who want to access the NAS remotely should use a VPN service. In addition, the NAS operating system should be kept up to date and SMBv1 should be disabled. The necessary steps are described in the advisory.
Further recommendations are to check the passwords and make sure that all passwords are secure enough. Furthermore, the manufacturer recommends its users to back up the data on the NAS units and to create snapshots regularly.
