Security ID : QSA-22-21
Checkmate Ransomware via SMB Services Exposed to the Internet
- Release date : July 7, 2022 
- Affected products: SMB services exposed to the internet 
Severity
Moderate
Status
Information
Summary
A new ransomware known as Checkmate has recently been brought to our attention. Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords. Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name "!CHECKMATE_DECRYPTION_README" in each folder.
Recommendation
If the SMB service on your NAS is exposed to the internet, we strongly recommend taking the following actions:
- Do not expose SMB service to the internet.
 You can reduce NAS service exposure to the internet by using a VPN. For details, refer to this document.
- Disable SMB 1.
- Update your QNAP operating system to the latest version.
- Review all NAS accounts immediately to ensure all passwords are strong enough.
- Back up your data and take snapshots regularly.
Disabling SMB 1
- Log on to QTS, QuTS hero, or QuTScloud.
- Go to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking.
- Click Advanced Options.
 The Advanced Options window opens.
- Next to Lowest SMB version, select SMB 2 or higher.
- Click Apply.
Updating QTS, QuTS hero, or QuTScloud
- Log on to QTS, QuTS hero or QuTScloud as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
 QTS, QuTS hero or QuTScloud downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
Revision History: V1.0 (July 7, 2022) - Published
 
                                     
                                    