Checkmate Ransomware via SMB Services Exposed to the Internet

Summary

A new ransomware known as Checkmate has recently been brought to our attention. Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE_DECRYPTION_README" in each folder.

Recommendation

If the SMB service on your NAS is exposed to the internet, we strongly recommend taking the following actions:

1. Do not expose SMB service to the internet.
   You can reduce NAS service exposure to the internet by using a VPN. For details, refer to this document.
2. Disable SMB 1.
3. Update your QNAP operating system to the latest version.
4. Review all NAS accounts immediately to ensure all passwords are strong enough.
5. Back up your data and take snapshots regularly.

Disabling SMB 1

1. Log on to QTS, QuTS hero, or QuTScloud.
2. Go to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking.
3. Click Advanced Options.
   The Advanced Options window opens.
4. Next to Lowest SMB version, select SMB 2 or higher.
5. Click Apply.

Updating QTS, QuTS hero, or QuTScloud

1. Log on to QTS, QuTS hero or QuTScloud as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS, QuTS hero or QuTScloud downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.