New Checkmate Ransomware Threatening Your NAS Devices

Official announcements and latest news, awards from medias, and sucess stories.
User avatar
TMroy
TerraMaster Team
Posts: 2578
Joined: 10 Mar 2020, 14:04
China

New Checkmate Ransomware Threatening Your NAS Devices

Post by TMroy »

According to the official information provided by QNAP, a new ransomware known as Checkmate is targeting QNAP NAS devices recently. Checkmate attacks via SMB services exposed to the internet and employs a dictionary attack to break accounts with weak passwords. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE_DECRYPTION_README" in each folder.

Related news: QNAP warns yet another wave of attacks are targeting NAS devices by techradar

Your TNAS is also highly likely to be targeted.

Recommendation
1. Do not enable SMB 1 service on your TNAS device.
2. Review all TNAS accounts immediately to ensure all passwords are strong enough. It is recommended that the password contain at least 8 characters, upper and lower case letters, and special characters.
3. Back up your data and take snapshots regularly for your share folders by installing the Snapshot app. If you have installed the TOS 5.0 on your TNAS, it is recommended to enable the TerraMaster File System Snapshot(TFSS) immediately. What is TFSS?
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
Charlie_Croker
Posts: 105
Joined: 07 Oct 2020, 19:05

Re: Checkmate Ransomware is targeting QNAP NAS devices

Post by Charlie_Croker »

@TMroy,

Thank you for the warning, it's good to see that TM are being so proactive by warning us of attacks on other NAS vendors that may also attack TM NAS in future. I have two say you guys have really learnt from Deadbolt and QNAP could learn a lot from you guys. (I own a QNAP too and this is the first I have heard of Checkmate).
Ex Terramaster user. British citizen, Ex resident of KSA, USA and now in UAE.
User avatar
Jac de Lad
Posts: 38
Joined: 04 Aug 2020, 01:40

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by Jac de Lad »

Thanks TMRoy.

I have a question: What exactly does "SMB exposed to the internet" mean?
User avatar
Charlie_Croker
Posts: 105
Joined: 07 Oct 2020, 19:05

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by Charlie_Croker »

Jac de Lad wrote: 10 Jul 2022, 22:09 Thanks TMRoy.

I have a question: What exactly does "SMB exposed to the internet" mean?
if you have an SMB share that you can access when outside of your home network. https://security.stackexchange.com/ques ... e-internet
Ex Terramaster user. British citizen, Ex resident of KSA, USA and now in UAE.
User avatar
Jac de Lad
Posts: 38
Joined: 04 Aug 2020, 01:40

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by Jac de Lad »

Aye thanks. I wasn't even aware that this possible.
User avatar
macmpi
Posts: 120
Joined: 07 Jan 2020, 02:52

Re: Checkmate Ransomware is targeting QNAP NAS devices

Post by macmpi »

Charlie_Croker wrote: 09 Jul 2022, 06:55 Thank you for the warning, it's good to see that TM are being so proactive by warning us of attacks on other NAS vendors that may also attack TM NAS in future.
Some progress indeed, but we are not there yet, unfortunately...
The now well-known AFP (netatalk) vulnerability is still without any warning/mitigation/fix since April 28th...
TerraMaster F2-210 under TOS 4.2.43, RAID1, Btrfs, serving Mac, Linux & Windows clients
User avatar
Ashley.S.
Posts: 4
Joined: 01 Mar 2022, 07:19
Great Britain

Re: New Checkmate Ransomware Threatening Your NAS Devices

Post by Ashley.S. »

Thanks for the warning, it's greatly appreciated :)
Kind Regards,
Ashley.S. [Terramaster F2-221 & 2x8TB Seagate IronWolf NAS Hard Drive User]
User avatar
Charlie_Croker
Posts: 105
Joined: 07 Oct 2020, 19:05

Re: Checkmate Ransomware is targeting QNAP NAS devices

Post by Charlie_Croker »

@macmpi
macmpi wrote: 12 Jul 2022, 16:50
Charlie_Croker wrote: 09 Jul 2022, 06:55 Thank you for the warning, it's good to see that TM are being so proactive by warning us of attacks on other NAS vendors that may also attack TM NAS in future.
Some progress indeed, but we are not there yet, unfortunately...
The now well-known AFP (netatalk) vulnerability is still without any warning/mitigation/fix since April 28th...
AFP: was deprecated by Apple some time ago, I haven't used it for years, (& I started using Macs in the 90s via Shapeshifter on an Amiga A3000) but for users still using AFP: This does need to be patched, although a move to SMB: by users would probably be wiser.
Ex Terramaster user. British citizen, Ex resident of KSA, USA and now in UAE.
User avatar
macmpi
Posts: 120
Joined: 07 Jan 2020, 02:52

Re: Checkmate Ransomware is targeting QNAP NAS devices

Post by macmpi »

Charlie_Croker wrote: 12 Jul 2022, 22:44This does need to be patched
Sorry, but it does.
Any component in a system with known vulnerabilities should be fixed or removed: it just can't hang around unmaintained.

TOS is running a vulnerable version of netatalk: it should be fixed, like all other competing NAS makers have been doing, for some reasons...
TerraMaster F2-210 under TOS 4.2.43, RAID1, Btrfs, serving Mac, Linux & Windows clients
User avatar
Charlie_Croker
Posts: 105
Joined: 07 Oct 2020, 19:05

Re: Checkmate Ransomware is targeting QNAP NAS devices

Post by Charlie_Croker »

macmpi wrote: 12 Jul 2022, 23:33
Charlie_Croker wrote: 12 Jul 2022, 22:44This does need to be patched
Sorry, but it does.
Any component in a system with known vulnerabilities should be fixed or removed: it just can't hang around unmaintained.

TOS is running a vulnerable version of netatalk: it should be fixed, like all other competing NAS makers have been doing, for some reasons...
As i clearly said “THIS NEEDS TO BE PATCHED”! But AFP: is still deprecated by Apple it does not work with APFS and will not be further developed, If AFP is switched off on the NAS it does not introduce any vulnerability at all

Deprecated refers to a software or programming language feature that is tolerated or supported but not recommended. A deprecated attribute or feature is one that may eventually be phased out, but continues to be used in the meantime. Deprecation also helps to ward off backward compatibility issues, giving users time to migrate and begin using the newer recommended feature. The deprecated feature will continue to work in the current environment, but will show a warning message that the feature being used may be removed in future releases
Ex Terramaster user. British citizen, Ex resident of KSA, USA and now in UAE.
Post Reply