QNAP Ransomware - Recovery advice

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
ascaaear
Posts: 1
Joined: 07 Sep 2022, 13:32

QNAP Ransomware - Recovery advice

#1 Post by ascaaear »

I recently been exposed and been hacked by a DEADBOLT ransomware on my QNAP NAS. I understand the chances of recovering the files (my photos) are slim (I didnt have any snapshots). However, I like to go through my options, and came over the tool Qrescue (which can run PhotoRec on my QNAP). My hope is that somewhere on the NAS there might files that have been added and removed, that could be recovered. On the instruction it says i need free space of 1.5x to 2x the size of used space on my NAS - bottom line is, its about 10TB totally of data, so thats not an option.

My question is: Is it possible to run PhotoRec on just a folder of my choice, on my nas (Not the whole partition) ? There is just a small area (about 350 GB) that I was hoping to have scanned by this software.

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: QNAP Ransomware - Recovery advice

#2 Post by recuperation »

No.
I am now aware how far QRescue differs from Photorec.

If you are not willing to buy new storage you can stop Qrescue/Photorec before the recovery space is totally filled up.
Upon restart of QRescue?/Photorec asks you if it should continue your recovery operation when it finds an old log file.
Please try that out in your case by interrupting Photorec right after some seconds of operation.

During the time Photorec is not running you can examine the recovered folders and delete false positives and unreadable files.
You can do this clean-up operation even when Photorec is running by working on older recovered files.
The only disadvantage is that your simultaneous operation may slow down Photorec a bit.

Locked