2 min read

QNAP NAS Users Targeted with Ransomware Again – This Time, It’s ‘Checkmate’

Filip TRUȚĂ

July 08, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
QNAP NAS Users Targeted with Ransomware Again – This Time, It’s ‘Checkmate’

QNAP Systems has issued an advisory warning customers that ransomware operators are targeting its network-attached storage (NAS) products via Server Message Block (SMB) services exposed to the web.

The Taiwanese company said a new ransomware family known as Checkmate was recently brought to its attention, with preliminary analysis indicating that it’s targeting NAS devices with SMB services exposed to the internet. SMB is a communication protocol used to provide shared access to files across nodes on a network of systems.

However, Checkmate ransomware operators are apparently not exploiting any vulnerability in QNAP’s products. Rather, they are making the most of misconfigured network settings and weak, easy-to-guess passwords via a simple technique known as a dictionary attack.

“Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords,” the advisory reads. “Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE_DECRYPTION_README" in each folder.”

Victims are sharing their stories on the BleepingComputer forum. Ransom notes may vary depending on each victim’s data, but according to forum starter “sikich,” the ransom demand was $15,000. It is unclear if Checkmate operators are adjusting their demands based on the value of the encrypted/stolen data, but it wouldn’t be a surprise if they did, as this practice is fairly common amongst ransomware operatives.

The ransom note shared by ‘sikich’ is reproduced below:

You was hacked by CHECKMATE team.

All your data has been encrypted, backups have been deleted.

Your unique ID: bc75c72[edited]

You can restore the data by paying us money.

We have encrypted 267183 office files.

We determine the amount of the ransom from the number of encrypted office files.

The cost of decryption is 15000 USD.

Payment is made to a unique bitcoin wallet.

Before paying, you will be able to make sure that we can actually decrypt your files.

For this:

1) Download and install Telegram Messenger https://telegram.org/

2) Find us https://t.me/checkmate_team

3) Send a message with your unique ID and 3 files for test decryption. Files should be no more than 15mb each.

4) In response, we will send the decrypted files and a bitcoin wallet for payment. Bitcoin wallet is unique for you, so we can find out what you paid.

5) After the payment is received, we will send you the key and the decryption program.

QNAP says it is “thoroughly investigating the case and will provide further information as soon as possible.”

Customers are urged to reduce their NAS exposure to the internet by tweaking their network settings accordingly. The company also instructs users to make sure their firmware is up to date.

Although QNAP clearly mentions that victims of this abuse have weak passwords in place, the firm falls short of recommending that users switch to stronger passwords – which, of course, they should.

QNAP NAS users have been targeted by a flurry of ransomware attacks in the past two years, prompting the vendor to issue several such advisories, urgent patches and even to extend support for end-of-life products.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Student data leaked after LA school district says it won't pay ransom Student data leaked after LA school district says it won't pay ransom
Graham CLULEY

October 03, 2022

2 min read
Russians Attempting Draft Evasion Help Scam Market Thrive Russians Attempting Draft Evasion Help Scam Market Thrive
Vlad CONSTANTINESCU

October 03, 2022

1 min read
Ransomware Attacks on Home Users Are Frighteningly Common, Bitdefender Data Reveals. Here Are 3 Tips to Stay Safe at Home Ransomware Attacks on Home Users Are Frighteningly Common, Bitdefender Data Reveals. Here Are 3 Tips to Stay Safe at Home
Filip TRUȚĂ

October 03, 2022

3 min read