cgsecurity.org

Hi,

I and thousands of others have been hacked by Qlocker Ransomeware demanding 500 Bitcoins to get the files unencrypted.

A member on the Beeping Computer forum and someone on YouTube have come up with a way to try and retrieve the files that the hackers deleted. It uses PuTTy and PhotRec.

I eventually got it to work and PhotoRec has so far got 88k files with another 32 hours to go.

The program saves the files with a number and the correct ext so the actual orig filename is not there.

I was wondering in what order does PhotoRec get the files and save them to the new drive?
Is is by orig name alpha, or where it is saved on the disk etc.

It may help me when I am trying to rename the numbered files to their correct orig name.

Thanks to PhotoRec the hackers are a few dollars less rich, although I saw where someone said over 500,000 has been paid to them to get the file password.

I use this opportunity to underline that those users using Photorec should consider a donation!

To the left of the screen linked below is a yellowish donation button:

https://www.cgsecurity.org/wiki/TestDisk_Download

For the numbering read this thread:

viewtopic.php?p=33846#p33846

PhotoRec saves the file in the order there were stored on the source disk (Not exactly true for fragmented files).
QNAP has published yesterday a package using PhotoRec to help in renaming the files: https://www.qnap.com/en/how-to/tutorial ... n-qnap-nas

Would the result be any different using Test Disk?

I was hit by Qlocker too. Every time I run photorec it hangs up on the same sector after roughly 3 minutes. I've seen comments about editing the photorec.ses file but I haven't had any success.

Any help would be greatly appreciated.
My photorec.ses file looks like this:

#1622223412
/dev/mapper/cachedev1 partition_none,255,blocksize,1024,fileopt,options,paranoid,keep_corrupted_file_no,wholespace,search,status=find_offset,inter
0-1
2-75831
75832-75839
75840-262143
262144-272215
272216-272383
272384-272639
272640-274431
274432-275391
275392-275455
275456-3848241151

Which version are you running?
What file system do you use on your target partition?

You might have unreadable sectors. When only recovering information from one disk you simply duplicate it with ddrescue which has a built-in strategy to deal with unreadable sectors.

With virtual devices consisting of a couple of drives it is much more work.
You are either able to identify a single broken drive and replace it or you duplicate the whole setup. In addition to that your machine needs to be able to present the combined virtual drive to Photorec using the one drive duplicated or even by using the complete group of duplicated drives.