New Checkmate Ransomware Threatening Your NAS Devices

Latest news, awards from medias, and sucess stories.
User avatar
Saijin_Naib
Posts: 92
Joined: 23 Jun 2021, 01:19

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by Saijin_Naib » 13 Jul 2022, 10:44

{L_BUTTON_AT}TMroy
Any news of an update to mitigate this risk for ARM (TOS 4.x devices), especially given we have an older, more vulnerable kernel combined with lack of Two-Factor, no security/malware/ransomware protection features like TOS 5.x, and generally a far inferior and vulnerable OS?

User avatar
onemeshnig
Posts: 24
Joined: 15 Apr 2021, 05:28

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by onemeshnig » 14 Jul 2022, 03:39

TMroy wrote:
08 Jul 2022, 23:07
Recommendation
1. Do not enable SMB 1 service on your TNAS device.
How I can choose another SMB version, when I cant find this option in settings on my F4-210?
Image

User avatar
Saijin_Naib
Posts: 92
Joined: 23 Jun 2021, 01:19

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by Saijin_Naib » 14 Jul 2022, 08:06

{L_BUTTON_AT}onemeshnig
ARM implementation of TOS 4.x is missing a ton of features, among them any way to set the SMB version and parameters like the x86 TOS users can. So, you don't have that control unless you drop into the shell via SSH and edit configs manually.

User avatar
CapCaveman
Posts: 1
Joined: 12 Jan 2022, 20:56

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by CapCaveman » 20 Jul 2022, 01:14

TMroy wrote:
08 Jul 2022, 23:07
According to the official information provided by QNAP, a new ransomware known as Checkmate is targeting QNAP NAS devices recently. Checkmate attacks via SMB services exposed to the internet and employs a dictionary attack to break accounts with weak passwords. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE_DECRYPTION_README" in each folder.

Related news: QNAP warns yet another wave of attacks are targeting NAS devices by techradar

Your TNAS is also highly likely to be targeted.

Recommendation
1. Do not enable SMB 1 service on your TNAS device.
2. Review all TNAS accounts immediately to ensure all passwords are strong enough. It is recommended that the password contain at least 8 characters, upper and lower case letters, and special characters.
3. Back up your data and take snapshots regularly for your share folders by installing the Snapshot app. If you have installed the TOS 5.0 on your TNAS, it is recommended to enable the TerraMaster File System Snapshot(TFSS) immediately. What is TFSS?
Thanks for the heads up. I would add to use a firewall rule to allow only safe IPs to access the NAS. Regarding the firewall, I implemented it since the Ech0raix attack last december and had no problems since. The only issue I have is that when I reset the TNAS, it seems Plex can´t access the Plex servers since internet is disabled and my local movies are no longer found. I have to disable the firewall so that the TNAS has access to the internet and then restart the TNAS. Then the files are found and I enable firewall again. Do you know which IPs does the TNAS access to validate Plex or how can I fix this issue?

User avatar
titanrx8
Posts: 184
Joined: 17 Jul 2020, 06:17

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by titanrx8 » 20 Jul 2022, 05:03

CapCaveman wrote:
20 Jul 2022, 01:14
TMroy wrote:
08 Jul 2022, 23:07
According to the official information provided by QNAP, a new ransomware known as Checkmate is targeting QNAP NAS devices recently. Checkmate attacks via SMB services exposed to the internet and employs a dictionary attack to break accounts with weak passwords. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE_DECRYPTION_README" in each folder.

Related news: QNAP warns yet another wave of attacks are targeting NAS devices by techradar

Your TNAS is also highly likely to be targeted.

Recommendation
1. Do not enable SMB 1 service on your TNAS device.
2. Review all TNAS accounts immediately to ensure all passwords are strong enough. It is recommended that the password contain at least 8 characters, upper and lower case letters, and special characters.
3. Back up your data and take snapshots regularly for your share folders by installing the Snapshot app. If you have installed the TOS 5.0 on your TNAS, it is recommended to enable the TerraMaster File System Snapshot(TFSS) immediately. What is TFSS?
Thanks for the heads up. I would add to use a firewall rule to allow only safe IPs to access the NAS. Regarding the firewall, I implemented it since the Ech0raix attack last december and had no problems since. The only issue I have is that when I reset the TNAS, it seems Plex can´t access the Plex servers since internet is disabled and my local movies are no longer found. I have to disable the firewall so that the TNAS has access to the internet and then restart the TNAS. Then the files are found and I enable firewall again. Do you know which IPs does the TNAS access to validate Plex or how can I fix this issue?
Does your firewall log all outbound flows? Should be relatively easy to see which site Plex is pinging when you open the firewall. then write a rule to allow that exception.

User avatar
Fionn
Posts: 3
Joined: 24 May 2022, 23:05

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by Fionn » 31 Jul 2022, 14:34

{L_BUTTON_AT}onemeshnig
Saijin_Naib wrote:
14 Jul 2022, 08:06
ARM implementation of TOS 4.x is missing a ton of features, among them any way to set the SMB version and parameters like the x86 TOS users can. So, you don't have that control unless you drop into the shell via SSH and edit configs manually.
And how do you do that?

Post Reply