Qnap warns that the manufacturer is investigating cases of ransomware infestation of its NAS devices. These are infected with the ransomware Checkmate. After a break-in, the attackers encrypted the data on the network storage devices.
The company explains that preliminary results indicate that Checkmate is attacking SMB services that are accessible on the Internet. The attackers tried to break into the accounts with dictionary attacks. After successfully logging into a device, they encrypt data in shared folders and leave ransom note file called !CHECKMATE_DECRYPTION_README in each directory.
take protective measures
In a security notification, Qnap gives hints and tips on how NAS devices that offer SMB services can be better secured. The first tip is not to expose SMB services to the Internet. However, where external access is necessary, administrators should rely on VPN in order not to make the NAS services directly accessible on the Internet.
Finally, admins should disable support for SMBv1 and update the Qnap operating system to the latest available version. Especially on devices that offer services on the Internet, operators should check all NAS accesses for sufficiently strong passwords. The list of recommendations concludes that regular backups of data and snapshots are advisable.
These tips for action generally also apply to the use of NAS systems from other manufacturers. Qnap NAS were last targeted by cybergangs about three weeks ago. The manufacturer warned of a wave of attacks with DeadBolt ransomware.