Checkmate Ransomware

A new ransomware extension, called Checkmate, has been identified and has made numerous attacks targeting Network Attached Storage (NAS) devices.

Checkmate ransomware first appeared in May 2022, breaking into servers manufactured by the company QNAP.

In an official QNAP statement released in July this year, the company commented that hackers break into the system “using a dictionary attack to crack accounts with weak passwords.”

Dictionary attack is the name given to the strategy of performing brute force intrusions to gain access to user logins and passwords. Among the millions and even billions of login attempts, dictionary words are used extensively.

QNAP also made some recommendations to prevent new victims, including upgrading to the latest released version of the system and also doing a password analysis of all NAS users.

The access was possible due to a common practice of server users, which was to make SMB services available on the Internet. They allow the sharing of data on the network, which creates easy access for the group to browse the entire server.

After infecting a machine, checkmate ransomware begins stealing and encrypting the files found, and can reach any device connected to the same network. The files are given an extension called “.checkmate” and after it is applied, access to the data is blocked.

To negotiate with the group and try to get your data back, a ransom note called “!CHECKMATE_DECRYPTION_README.txt” is fixed on your desktop, informing you of what happened and a link to contact them. The amounts demanded by the group for recovery come in the region of $15,000 in Bitcoin.

To try to gain trust and prove to victims that they have access to the decryption key, the checkmate attaches a link to the telegram, where up to 3 folders with 15Mb files can be restored.

However, it is worth noting that paying a ransom is not recommended. According to research, companies that resort to this way out have an 80% chance of being attacked again.

The ideal choice, is to seek support with a company specialised in data recovery.

Recover files encrypted by Checkmate ransomware

Digital Recovery is a company specialising in the recovery of files encrypted by ransomware.

For more than 23 years facing the various scenarios of data loss, we have gained the necessary experience to work on solutions in any data centers. Including NAS servers, where checkmate ransomware operates.

Due to the massive proportions a ransomware attack can take, we have a specialist division to recover your files.

In most cases, our engineers are also able to work fully remotely to recover your information, all in accordance with the General Data Protection Regulation (GDPR)

Alongside our service, we offer our clients a confidentiality agreement (NDA), which guarantees the secrecy of information.

For more information, request a diagnosis with our experts right now.

We are
always online

Please fill out the form, or select your preferred contact method. We will contact you to start recovering your files.

Latest insights from our experts

Khonsari Ransomware

Khonsari Ransomware

The Khonsari ransomware was the first group to exploit known Apache Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), the group has focused its attacks on Windows servers that

Récupérer le Ransomware Makop

Makop Ransomware

The Makop ransomware has grown through its affiliate programme, RaaS (Ransomware as a Service), a tactic that aims to find partners to carry out attacks


Through unique technologies Digital Recovery can bring back encrypted data on any storage device, offering remote solutions anywhere in the world.