QNAP Systems has issued an advisory warning customers that ransomware operators are targeting its network-attached storage (NAS) products via Server Message Block (SMB) services exposed to the web.
The Taiwanese company said a new ransomware family known as Checkmate was recently brought to its attention, with preliminary analysis indicating that it’s targeting NAS devices with SMB services exposed to the internet. SMB is a communication protocol used to provide shared access to files across nodes on a network of systems.
However, Checkmate ransomware operators are apparently not exploiting any vulnerability in QNAP’s products. Rather, they are making the most of misconfigured network settings and weak, easy-to-guess passwords via a simple technique known as a dictionary attack.
“Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords,” the advisory reads. “Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name “!CHECKMATE_DECRYPTION_README” in each folder.”
Victims are sharing their stories on the BleepingComputer forum. Ransom notes may vary depending on each victim’s data, but according to forum starter “sikich,” the ransom demand was $15,000. It is unclear if Checkmate operators are adjusting their demands based on the value of the encrypted/stolen data, but it wouldn’t be a surprise if they did, as this practice is fairly common amongst ransomware operatives.
The ransom note shared by ‘sikich’ is reproduced below:
You was hacked by CHECKMATE team.
All your data has been encrypted, backups have been deleted.
Your unique ID: bc75c72[edited]
You can restore the data by paying us money.
We have encrypted 267183 office files.
We determine the amount of the ransom from the number of encrypted office files.
The cost of decryption is 15000 USD.
Payment is made to a unique bitcoin wallet.
Before paying, you will be able to make sure that we can actually decrypt your files.
1) Download and install Telegram Messenger https://telegram.org/
2) Find us https://t.me/checkmate_team
3) Send a message with your unique ID and 3 files for test decryption. Files should be no more than 15mb each.
4) In response, we will send the decrypted files and a bitcoin wallet for payment. Bitcoin wallet is unique for you, so we can find out what you paid.
5) After the payment is received, we will send you the key and the decryption program.
QNAP says it is “thoroughly investigating the case and will provide further information as soon as possible.”
Customers are urged to reduce their NAS exposure to the internet by tweaking their network settings accordingly. The company also instructs users to make sure their firmware is up to date.
Although QNAP clearly mentions that victims of this abuse have weak passwords in place, the firm falls short of recommending that users switch to stronger passwords – which, of course, they should.
QNAP NAS users have been targeted by a flurry of ransomware attacks in the past two years, prompting the vendor to issue several such advisories, urgent patches and even to extend support for end-of-life products.