Checkmate Ransomware targets QNAP NAS
QNAP is warning of a of new ransomware dubbed Checkmate targeting its NAS devices using weak passwords. Threat actors are targeting devices exposed online with the SMB service enabled, they perform brute force attacks against accounts using weak passwords.
The ransomware appends the .checkmate extension to the filenames of encrypted files, it drops a ransom note named !CHECKMATE_DECRYPTION_README on the infected devices.
The vendor recommends not exposing the SMB service to the internet and using VPN to access the NAS and reduce the attack surface.
QNAP also recommends disabling SMB 1 and updating the operating system to the latest version.
The advisory also suggests reviewing all NAS accounts immediately to ensure they are using strong passwords and of course back up data and take snapshots regularly.
Disabling SMB 1
- Log on to QTS, QuTS hero, or QuTScloud.
- Go to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking.
- Click Advanced Options.
The Advanced Options window opens.
- Next to Lowest SMB version, select SMB 2 or higher.
- Click Apply.
Updating QTS, QuTS hero, or QuTScloud
- Log on to QTS, QuTS hero or QuTScloud as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS, QuTS hero or QuTScloud downloads and installs the latest available update.