Ransomware Checkmate

A new ransomware extension, called Checkmate, has been identified and has made numerous attacks targeting NAS (Network Attached Storage) devices.

The checkmate ransomware first appeared in May 2022, breaking into servers manufactured by the company QNAP.

In an official QNAP statement released in July of this year, the company commented that hackers break into the system “using a dictionary attack to crack accounts with weak passwords.”

Dictionary attack is the name given to the strategy of performing brute force intrusions to gain access to user logins and passwords. Among the millions and even billions of login attempts, dictionary words are used extensively.

Some recommendations were also left by QNAP to prevent new victims, some of them being to upgrade to the latest released version of the system and also to do a password analysis of all NAS users.

The access was possible due to a common practice of server users, which was to make SMB services available on the Internet. They allow data sharing over the network, which creates easy access for the group to browse the entire server.

After infecting a machine, checkmate ransomware starts stealing and encrypting the files found, and can reach any device connected to the same network. The files are given an extension called “.checkmate” and after it is applied, access to the data is blocked.

To negotiate with the group and try to get your data back, a ransom note called “!CHECKMATE_DECRYPTION_README.txt” is fixed on your desktop, informing you of what happened and a link to contact them. The amounts demanded by the group for recovery come in at $15,000 in Bitcoin.

To try to gain trust and prove to victims that they have access to the decryption key, the checkmate attaches a link to the telegram, where up to 3 folders with 15Mb files can be restored.

However, it is worth noting that paying a ransom is not recommended. According to research, companies that resort to this way out have an 80% chance of being attacked again.

The ideal choice is to seek support from a company that specializes in data recovery.

Recover files encrypted by Checkmate ransomware

Digital Recovery is a company specializing in the recovery of files encrypted by ransomware.

For over 23 years facing the various scenarios of data loss, we have gained the necessary experience to work on solutions in any data centers. Including NAS servers, where checkmate ransomware operates.

Due to the gigantic proportions a ransomware attack can take, we have a specialized division to recover your files.

In most cases, our engineers are also able to work fully remotely to recover your information.

In addition to our service, we offer our customers a confidentiality agreement (NDA), which guarantees the secrecy of your information.

For more information, request a diagnosis with our experts right now.

We are always online

Please fill out the form, or select your preferred contact method. We will contact you to start recovering your files.

Latest insights from our experts

Khonsari Ransomware

Khonsari Ransomware

The Khonsari ransomware was the first group to exploit known Apache Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), the group has focused its attacks on Windows servers that

Recuperar Ransomware Makop

Makop Ransomware

Makop ransomware has been expanding through its affiliate program, RaaS (Ransomware as a Service), a tactic that aims to seek partners to carry out attacks


Through unique technologies Digital Recovery can bring back encrypted data on any storage device, offering remote solutions anywhere in the world.