New Checkmate Ransomware Threatening Your NAS Devices

Official announcements and latest news, awards from medias, and sucess stories.
User avatar
Saijin_Naib
Posts: 79
Joined: 23 Jun 2021, 01:19

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by Saijin_Naib »

{L_BUTTON_AT}TMroy
Any news of an update to mitigate this risk for ARM (TOS 4.x devices), especially given we have an older, more vulnerable kernel combined with lack of Two-Factor, no security/malware/ransomware protection features like TOS 5.x, and generally a far inferior and vulnerable OS?
User avatar
onemeshnig
Posts: 21
Joined: 15 Apr 2021, 05:28

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by onemeshnig »

TMroy wrote: 08 Jul 2022, 23:07 Recommendation
1. Do not enable SMB 1 service on your TNAS device.
How I can choose another SMB version, when I cant find this option in settings on my F4-210?
Image
User avatar
Saijin_Naib
Posts: 79
Joined: 23 Jun 2021, 01:19

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by Saijin_Naib »

{L_BUTTON_AT}onemeshnig
ARM implementation of TOS 4.x is missing a ton of features, among them any way to set the SMB version and parameters like the x86 TOS users can. So, you don't have that control unless you drop into the shell via SSH and edit configs manually.
User avatar
CapCaveman
Posts: 2
Joined: 12 Jan 2022, 20:56

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by CapCaveman »

TMroy wrote: 08 Jul 2022, 23:07 According to the official information provided by QNAP, a new ransomware known as Checkmate is targeting QNAP NAS devices recently. Checkmate attacks via SMB services exposed to the internet and employs a dictionary attack to break accounts with weak passwords. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE_DECRYPTION_README" in each folder.

Related news: QNAP warns yet another wave of attacks are targeting NAS devices by techradar

Your TNAS is also highly likely to be targeted.

Recommendation
1. Do not enable SMB 1 service on your TNAS device.
2. Review all TNAS accounts immediately to ensure all passwords are strong enough. It is recommended that the password contain at least 8 characters, upper and lower case letters, and special characters.
3. Back up your data and take snapshots regularly for your share folders by installing the Snapshot app. If you have installed the TOS 5.0 on your TNAS, it is recommended to enable the TerraMaster File System Snapshot(TFSS) immediately. What is TFSS?
Thanks for the heads up. I would add to use a firewall rule to allow only safe IPs to access the NAS. Regarding the firewall, I implemented it since the Ech0raix attack last december and had no problems since. The only issue I have is that when I reset the TNAS, it seems Plex can´t access the Plex servers since internet is disabled and my local movies are no longer found. I have to disable the firewall so that the TNAS has access to the internet and then restart the TNAS. Then the files are found and I enable firewall again. Do you know which IPs does the TNAS access to validate Plex or how can I fix this issue?
User avatar
titanrx8
Posts: 222
Joined: 17 Jul 2020, 06:17

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by titanrx8 »

CapCaveman wrote: 20 Jul 2022, 01:14
TMroy wrote: 08 Jul 2022, 23:07 According to the official information provided by QNAP, a new ransomware known as Checkmate is targeting QNAP NAS devices recently. Checkmate attacks via SMB services exposed to the internet and employs a dictionary attack to break accounts with weak passwords. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE_DECRYPTION_README" in each folder.

Related news: QNAP warns yet another wave of attacks are targeting NAS devices by techradar

Your TNAS is also highly likely to be targeted.

Recommendation
1. Do not enable SMB 1 service on your TNAS device.
2. Review all TNAS accounts immediately to ensure all passwords are strong enough. It is recommended that the password contain at least 8 characters, upper and lower case letters, and special characters.
3. Back up your data and take snapshots regularly for your share folders by installing the Snapshot app. If you have installed the TOS 5.0 on your TNAS, it is recommended to enable the TerraMaster File System Snapshot(TFSS) immediately. What is TFSS?
Thanks for the heads up. I would add to use a firewall rule to allow only safe IPs to access the NAS. Regarding the firewall, I implemented it since the Ech0raix attack last december and had no problems since. The only issue I have is that when I reset the TNAS, it seems Plex can´t access the Plex servers since internet is disabled and my local movies are no longer found. I have to disable the firewall so that the TNAS has access to the internet and then restart the TNAS. Then the files are found and I enable firewall again. Do you know which IPs does the TNAS access to validate Plex or how can I fix this issue?
Does your firewall log all outbound flows? Should be relatively easy to see which site Plex is pinging when you open the firewall. then write a rule to allow that exception.
User avatar
Fionn
Posts: 16
Joined: 24 May 2022, 23:05

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by Fionn »

{L_BUTTON_AT}onemeshnig
Saijin_Naib wrote: 14 Jul 2022, 08:06 ARM implementation of TOS 4.x is missing a ton of features, among them any way to set the SMB version and parameters like the x86 TOS users can. So, you don't have that control unless you drop into the shell via SSH and edit configs manually.
And how do you do that?
User avatar
bidmead
Posts: 114
Joined: 18 Jan 2021, 02:25
Great Britain

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by bidmead »

I have a ransomware question. Deadbolt (for instance) seeks out a list of file suffixes and will encrypt those files, adding its own suffix, ".deadbolt". For obvious reasons, ".deadbolt" is not on the list of files its seeks to encrypt..

An amusing precaution against deadbolt would be a script that adds ".deadbolt" as a second suffix to every file as it it written and removes it immediately prior to it being accessed by its owner.

I mention this, because Terramaster's Snapshot app offers the ability to make the snapshots visible. This usefully makes it easy to restore individual files. However, the visible snapshot files retain their original suffixes and therefore are presumably as vulnerable to deadbolt as the originals.

Might it be of some value to offer a user-definable munge of some sort to snapshot suffixes?

--
Chris
User avatar
TMroy
TerraMaster Team
Posts: 2578
Joined: 10 Mar 2020, 14:04
China

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by TMroy »

The visible snapshot file is just a symbolic link, The real snapshot files are hidden in a specific directory.
If you want to be more secure, you can use the file system snapshot in TOS 5. File system snapshots take snapshots of the entire file system, and the snapshot files are read-only and cannot be encrypted or deleted by ransomware.
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
bidmead
Posts: 114
Joined: 18 Jan 2021, 02:25
Great Britain

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by bidmead »

{L_BUTTON_AT}TMroy

Very useful to know. Thanks.

But I'm not clear how to do a filesystem snapshot. The Snapshot app doesn't appear to provide for this. Is this a `btrfs-progs` commandline utility?

--
Chris
User avatar
TMroy
TerraMaster Team
Posts: 2578
Joined: 10 Mar 2020, 14:04
China

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by TMroy »

To find the "File system snapshot", go to "TOS 5 desktop > Backup > File system snapshot".
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Post Reply