According to the official information provided by QNAP, a new ransomware known as Checkmate is targeting QNAP NAS devices recently. Checkmate attacks via SMB services exposed to the internet and employs a dictionary attack to break accounts with weak passwords. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE_DECRYPTION_README" in each folder.
Related news: QNAP warns yet another wave of attacks are targeting NAS devices by techradar
Your TNAS is also highly likely to be targeted.
Recommendation
1. Do not enable SMB 1 service on your TNAS device.
2. Review all TNAS accounts immediately to ensure all passwords are strong enough. It is recommended that the password contain at least 8 characters, upper and lower case letters, and special characters.
3. Back up your data and take snapshots regularly for your share folders by installing the Snapshot app. If you have installed the TOS 5.0 on your TNAS, it is recommended to enable the TerraMaster File System Snapshot(TFSS) immediately. What is TFSS?
New Checkmate Ransomware Threatening Your NAS Devices
New Checkmate Ransomware Threatening Your NAS Devices
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
- Charlie_Croker
- Posts: 105
- Joined: 07 Oct 2020, 19:05
Re: Checkmate Ransomware is targeting QNAP NAS devices
@TMroy,
Thank you for the warning, it's good to see that TM are being so proactive by warning us of attacks on other NAS vendors that may also attack TM NAS in future. I have two say you guys have really learnt from Deadbolt and QNAP could learn a lot from you guys. (I own a QNAP too and this is the first I have heard of Checkmate).
Thank you for the warning, it's good to see that TM are being so proactive by warning us of attacks on other NAS vendors that may also attack TM NAS in future. I have two say you guys have really learnt from Deadbolt and QNAP could learn a lot from you guys. (I own a QNAP too and this is the first I have heard of Checkmate).
Ex Terramaster user. British citizen, Ex resident of KSA, USA and now in UAE.
- Jac de Lad
- Posts: 38
- Joined: 04 Aug 2020, 01:40
Re: New Checkmate Ransomware Threatening Your NAS Devices
Thanks TMRoy.
I have a question: What exactly does "SMB exposed to the internet" mean?
I have a question: What exactly does "SMB exposed to the internet" mean?
- Charlie_Croker
- Posts: 105
- Joined: 07 Oct 2020, 19:05
Re: New Checkmate Ransomware Threatening Your NAS Devices
if you have an SMB share that you can access when outside of your home network. https://security.stackexchange.com/ques ... e-internetJac de Lad wrote: ↑10 Jul 2022, 22:09 Thanks TMRoy.
I have a question: What exactly does "SMB exposed to the internet" mean?
Ex Terramaster user. British citizen, Ex resident of KSA, USA and now in UAE.
- Jac de Lad
- Posts: 38
- Joined: 04 Aug 2020, 01:40
Re: New Checkmate Ransomware Threatening Your NAS Devices
Aye thanks. I wasn't even aware that this possible.
Re: Checkmate Ransomware is targeting QNAP NAS devices
Some progress indeed, but we are not there yet, unfortunately...Charlie_Croker wrote: ↑09 Jul 2022, 06:55 Thank you for the warning, it's good to see that TM are being so proactive by warning us of attacks on other NAS vendors that may also attack TM NAS in future.
The now well-known AFP (netatalk) vulnerability is still without any warning/mitigation/fix since April 28th...
TerraMaster F2-210 under TOS 4.2.43, RAID1, Btrfs, serving Mac, Linux & Windows clients
Re: New Checkmate Ransomware Threatening Your NAS Devices
Thanks for the warning, it's greatly appreciated
Kind Regards,
Ashley.S. [Terramaster F2-221 & 2x8TB Seagate IronWolf NAS Hard Drive User]
Ashley.S. [Terramaster F2-221 & 2x8TB Seagate IronWolf NAS Hard Drive User]
- Charlie_Croker
- Posts: 105
- Joined: 07 Oct 2020, 19:05
Re: Checkmate Ransomware is targeting QNAP NAS devices
@macmpi
AFP: was deprecated by Apple some time ago, I haven't used it for years, (& I started using Macs in the 90s via Shapeshifter on an Amiga A3000) but for users still using AFP: This does need to be patched, although a move to SMB: by users would probably be wiser.macmpi wrote: ↑12 Jul 2022, 16:50Some progress indeed, but we are not there yet, unfortunately...Charlie_Croker wrote: ↑09 Jul 2022, 06:55 Thank you for the warning, it's good to see that TM are being so proactive by warning us of attacks on other NAS vendors that may also attack TM NAS in future.
The now well-known AFP (netatalk) vulnerability is still without any warning/mitigation/fix since April 28th...
Ex Terramaster user. British citizen, Ex resident of KSA, USA and now in UAE.
Re: Checkmate Ransomware is targeting QNAP NAS devices
Sorry, but it does.
Any component in a system with known vulnerabilities should be fixed or removed: it just can't hang around unmaintained.
TOS is running a vulnerable version of netatalk: it should be fixed, like all other competing NAS makers have been doing, for some reasons...
TerraMaster F2-210 under TOS 4.2.43, RAID1, Btrfs, serving Mac, Linux & Windows clients
- Charlie_Croker
- Posts: 105
- Joined: 07 Oct 2020, 19:05
Re: Checkmate Ransomware is targeting QNAP NAS devices
As i clearly said “THIS NEEDS TO BE PATCHED”! But AFP: is still deprecated by Apple it does not work with APFS and will not be further developed, If AFP is switched off on the NAS it does not introduce any vulnerability at allmacmpi wrote: ↑12 Jul 2022, 23:33Sorry, but it does.
Any component in a system with known vulnerabilities should be fixed or removed: it just can't hang around unmaintained.
TOS is running a vulnerable version of netatalk: it should be fixed, like all other competing NAS makers have been doing, for some reasons...
Deprecated refers to a software or programming language feature that is tolerated or supported but not recommended. A deprecated attribute or feature is one that may eventually be phased out, but continues to be used in the meantime. Deprecation also helps to ward off backward compatibility issues, giving users time to migrate and begin using the newer recommended feature. The deprecated feature will continue to work in the current environment, but will show a warning message that the feature being used may be removed in future releases
Ex Terramaster user. British citizen, Ex resident of KSA, USA and now in UAE.