07-07-2022 , 11:13 PM
https://www.bleepingcomputer.com/news/se...s-devices/ QNAP warns of new Checkmate ransomware targeting NAS devices
By Sergiu Gatlan
July 7, 2022 11:47 AM Network-attached storage (NAS) vendor QNAP warned customers to secure their devices against attacks using Checkmate ransomware to encrypt data.
QNAP says the attacks are focused on Internet-exposed QNAP devices with the SMB service enabled and accounts with weak passwords that can easily be cracked in brute-force attacks.
"A new ransomware known as Checkmate has recently been brought to our attention," the NAS maker said in a security advisory published Thursday.
"Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords."
Checkmate is a recently discovered ransomware strain, first deployed in attacks around May 28, that appends a .checkmate extension to encrypted files and drops a ransom note named !CHECKMATE_DECRYPTION_README.
While there aren't any reports on QNAP's official forums or online social networks, victims have been sharing files locked using Checkmate ransomware in a dedicated BleepingComputer forum thread.
Based on ransom notes seen so far by BleepingComputer, the attackers ask victims to pay $15,000 worth of bitcoins to get a decryptor and a decryption key.
According to QNAP, the threat actors behind this campaign will remotely login into devices exposed to remote access with the help of accounts compromised in dictionary attacks.
After gaining access, they start encrypting files in shared folders (however, victim reports say that all the data is encrypted).
How to block Checkmate ransomware attacks
The company warned customers not to expose their NAS devices to Internet access and to use VPN software to reduce the attack surface and block threat actors' attempts to log in using compromised accounts.
QNAP users were also urged to review all their NAS accounts immediately and ensure they're using strong passwords, back up their files, and take backup snapshots regularly to restore their data.
You should also disable SMB 1 by logging into QTS, QuTS hero, or QuTScloud, going to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking, and selecting "SMB 2 or higher" after clicking on Advanced Options.
QNAP recommends updating your NAS device's firmware to the latest version by logging into QTS, QuTS hero, or QuTScloud as administrator, and hitting "Check for Update" under "Live Update" from Control Panel > System > Firmware Update.
"We are thoroughly investigating the case and will provide further information as soon as possible," QNAP added in today's advisory.
ech0raix ransomware is also targeting vulnerable QNAP NAS devices again since mid-June, according to user reports and ID Ransomware sample submissions.
QNAP also said last month that it's 'thoroughly investigating' a new series of attacks pushing DeadBolt ransomware that started in early June.
This warning came after several other alerts QNAP issued this [1, 2, 3], urging customers to keep their devices up to date and avoid exposing them to Internet access.
By Sergiu Gatlan
July 7, 2022 11:47 AM Network-attached storage (NAS) vendor QNAP warned customers to secure their devices against attacks using Checkmate ransomware to encrypt data.
QNAP says the attacks are focused on Internet-exposed QNAP devices with the SMB service enabled and accounts with weak passwords that can easily be cracked in brute-force attacks.
"A new ransomware known as Checkmate has recently been brought to our attention," the NAS maker said in a security advisory published Thursday.
"Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords."
Checkmate is a recently discovered ransomware strain, first deployed in attacks around May 28, that appends a .checkmate extension to encrypted files and drops a ransom note named !CHECKMATE_DECRYPTION_README.
While there aren't any reports on QNAP's official forums or online social networks, victims have been sharing files locked using Checkmate ransomware in a dedicated BleepingComputer forum thread.
Based on ransom notes seen so far by BleepingComputer, the attackers ask victims to pay $15,000 worth of bitcoins to get a decryptor and a decryption key.
According to QNAP, the threat actors behind this campaign will remotely login into devices exposed to remote access with the help of accounts compromised in dictionary attacks.
After gaining access, they start encrypting files in shared folders (however, victim reports say that all the data is encrypted).
How to block Checkmate ransomware attacks
The company warned customers not to expose their NAS devices to Internet access and to use VPN software to reduce the attack surface and block threat actors' attempts to log in using compromised accounts.
QNAP users were also urged to review all their NAS accounts immediately and ensure they're using strong passwords, back up their files, and take backup snapshots regularly to restore their data.
You should also disable SMB 1 by logging into QTS, QuTS hero, or QuTScloud, going to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking, and selecting "SMB 2 or higher" after clicking on Advanced Options.
QNAP recommends updating your NAS device's firmware to the latest version by logging into QTS, QuTS hero, or QuTScloud as administrator, and hitting "Check for Update" under "Live Update" from Control Panel > System > Firmware Update.
"We are thoroughly investigating the case and will provide further information as soon as possible," QNAP added in today's advisory.
ech0raix ransomware is also targeting vulnerable QNAP NAS devices again since mid-June, according to user reports and ID Ransomware sample submissions.
QNAP also said last month that it's 'thoroughly investigating' a new series of attacks pushing DeadBolt ransomware that started in early June.
This warning came after several other alerts QNAP issued this [1, 2, 3], urging customers to keep their devices up to date and avoid exposing them to Internet access.