Hi,
I and thousands of others have been hacked by Qlocker Ransomeware demanding 500 Bitcoins to get the files unencrypted.
A member on the Beeping Computer forum and someone on YouTube have come up with a way to try and retrieve the files that the hackers deleted. It uses PuTTy and PhotRec.
I eventually got it to work and PhotoRec has so far got 88k files with another 32 hours to go.
The program saves the files with a number and the correct ext so the actual orig filename is not there.
I was wondering in what order does PhotoRec get the files and save them to the new drive?
Is is by orig name alpha, or where it is saved on the disk etc.
It may help me when I am trying to rename the numbered files to their correct orig name.
Thanks to PhotoRec the hackers are a few dollars less rich, although I saw where someone said over 500,000 has been paid to them to get the file password.
Qnap Ransomeware- PhotoRec works to retrieve files
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
-
- Posts: 2735
- Joined: 04 Jan 2019, 09:48
- Location: Hannover, Deutschland (Germany, Allemagne)
Re: Qnap Ransomeware- PhotoRec works to retrieve files
I use this opportunity to underline that those users using Photorec should consider a donation!
To the left of the screen linked below is a yellowish donation button:
https://www.cgsecurity.org/wiki/TestDisk_Download
For the numbering read this thread:
viewtopic.php?p=33846#p33846
To the left of the screen linked below is a yellowish donation button:
https://www.cgsecurity.org/wiki/TestDisk_Download
For the numbering read this thread:
viewtopic.php?p=33846#p33846
- cgrenier
- Site Admin
- Posts: 5432
- Joined: 18 Feb 2012, 15:08
- Location: Le Perreux Sur Marne, France
- Contact:
Re: Qnap Ransomeware- PhotoRec works to retrieve files
PhotoRec saves the file in the order there were stored on the source disk (Not exactly true for fragmented files).
QNAP has published yesterday a package using PhotoRec to help in renaming the files: https://www.qnap.com/en/how-to/tutorial ... n-qnap-nas
QNAP has published yesterday a package using PhotoRec to help in renaming the files: https://www.qnap.com/en/how-to/tutorial ... n-qnap-nas
Re: Qnap Ransomeware- PhotoRec works to retrieve files
Would the result be any different using Test Disk?
Re: Qnap Ransomeware- PhotoRec works to retrieve files
I was hit by Qlocker too. Every time I run photorec it hangs up on the same sector after roughly 3 minutes. I've seen comments about editing the photorec.ses file but I haven't had any success.
Any help would be greatly appreciated.
My photorec.ses file looks like this:
#1622223412
/dev/mapper/cachedev1 partition_none,255,blocksize,1024,fileopt,options,paranoid,keep_corrupted_file_no,wholespace,search,status=find_offset,inter
0-1
2-75831
75832-75839
75840-262143
262144-272215
272216-272383
272384-272639
272640-274431
274432-275391
275392-275455
275456-3848241151
Any help would be greatly appreciated.
My photorec.ses file looks like this:
#1622223412
/dev/mapper/cachedev1 partition_none,255,blocksize,1024,fileopt,options,paranoid,keep_corrupted_file_no,wholespace,search,status=find_offset,inter
0-1
2-75831
75832-75839
75840-262143
262144-272215
272216-272383
272384-272639
272640-274431
274432-275391
275392-275455
275456-3848241151
-
- Posts: 2735
- Joined: 04 Jan 2019, 09:48
- Location: Hannover, Deutschland (Germany, Allemagne)
Re: Qnap Ransomeware- PhotoRec works to retrieve files
Which version are you running?
What file system do you use on your target partition?
You might have unreadable sectors. When only recovering information from one disk you simply duplicate it with ddrescue which has a built-in strategy to deal with unreadable sectors.
With virtual devices consisting of a couple of drives it is much more work.
You are either able to identify a single broken drive and replace it or you duplicate the whole setup. In addition to that your machine needs to be able to present the combined virtual drive to Photorec using the one drive duplicated or even by using the complete group of duplicated drives.
What file system do you use on your target partition?
You might have unreadable sectors. When only recovering information from one disk you simply duplicate it with ddrescue which has a built-in strategy to deal with unreadable sectors.
With virtual devices consisting of a couple of drives it is much more work.
You are either able to identify a single broken drive and replace it or you duplicate the whole setup. In addition to that your machine needs to be able to present the combined virtual drive to Photorec using the one drive duplicated or even by using the complete group of duplicated drives.