Qnap Ransomeware- PhotoRec works to retrieve files

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
ozstar
Posts: 17
Joined: 22 Apr 2013, 06:27

Qnap Ransomeware- PhotoRec works to retrieve files

#1 Post by ozstar »

Hi,

I and thousands of others have been hacked by Qlocker Ransomeware demanding 500 Bitcoins to get the files unencrypted.

A member on the Beeping Computer forum and someone on YouTube have come up with a way to try and retrieve the files that the hackers deleted. It uses PuTTy and PhotRec.

I eventually got it to work and PhotoRec has so far got 88k files with another 32 hours to go.

The program saves the files with a number and the correct ext so the actual orig filename is not there.

I was wondering in what order does PhotoRec get the files and save them to the new drive?
Is is by orig name alpha, or where it is saved on the disk etc.

It may help me when I am trying to rename the numbered files to their correct orig name.

Thanks to PhotoRec the hackers are a few dollars less rich, although I saw where someone said over 500,000 has been paid to them to get the file password.

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Qnap Ransomeware- PhotoRec works to retrieve files

#2 Post by recuperation »

I use this opportunity to underline that those users using Photorec should consider a donation!

To the left of the screen linked below is a yellowish donation button:

https://www.cgsecurity.org/wiki/TestDisk_Download

For the numbering read this thread:

viewtopic.php?p=33846#p33846

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Qnap Ransomeware- PhotoRec works to retrieve files

#3 Post by cgrenier »

PhotoRec saves the file in the order there were stored on the source disk (Not exactly true for fragmented files).
QNAP has published yesterday a package using PhotoRec to help in renaming the files: https://www.qnap.com/en/how-to/tutorial ... n-qnap-nas

ozstar
Posts: 17
Joined: 22 Apr 2013, 06:27

Re: Qnap Ransomeware- PhotoRec works to retrieve files

#4 Post by ozstar »

Would the result be any different using Test Disk?

slimb
Posts: 1
Joined: 28 May 2021, 18:41

Re: Qnap Ransomeware- PhotoRec works to retrieve files

#5 Post by slimb »

I was hit by Qlocker too. Every time I run photorec it hangs up on the same sector after roughly 3 minutes. I've seen comments about editing the photorec.ses file but I haven't had any success.

Any help would be greatly appreciated.
My photorec.ses file looks like this:

#1622223412
/dev/mapper/cachedev1 partition_none,255,blocksize,1024,fileopt,options,paranoid,keep_corrupted_file_no,wholespace,search,status=find_offset,inter
0-1
2-75831
75832-75839
75840-262143
262144-272215
272216-272383
272384-272639
272640-274431
274432-275391
275392-275455
275456-3848241151

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Qnap Ransomeware- PhotoRec works to retrieve files

#6 Post by recuperation »

Which version are you running?
What file system do you use on your target partition?

You might have unreadable sectors. When only recovering information from one disk you simply duplicate it with ddrescue which has a built-in strategy to deal with unreadable sectors.

With virtual devices consisting of a couple of drives it is much more work.
You are either able to identify a single broken drive and replace it or you duplicate the whole setup. In addition to that your machine needs to be able to present the combined virtual drive to Photorec using the one drive duplicated or even by using the complete group of duplicated drives.

Locked