cgsecurity.org

I'm trying to recover a 3TB disk after being hit by QLocker.
I'm using photorec bundled into QRescue.
Obviously, this is going extremely slow, I can't even remember how many days (definitely more than a week) have passed now...
It's now at around 55% by sector count, and got even slower. What I noticed, that now it keeps jumping back by 100-150 million (!) sectors from time to time, usually right after it reports a new file found just a few sectors after the previous place it jumped back from.
I don't remember seeing this happening in the earlier, lower sectors.
This observation is backed by the number of recup dirs being created by each day. For the first couple of days it was hundreds of new dirs per day, but now it is only increasing by 1 or 2 new dirs each day.
There are ~4200 dirs created in relatively quick succession (reaching ~3.19B sectors) in around 6-7 days, but only around 20 in the last 5 days. The most recent files are from sectors in the 3.39B range. That's 200M (0.2B) sector progress for these last 5 days altogether. At this rate, it might take several more weeks to finish, so I'm quite concerned.
Any tip on what might be going on and how to overcome this behavior?

See some images: https://imgbox.com/g/HOd94kD3IO
You can see, the "elapsed time" and "files found" increased, but the sector counter is lower.
(Ignore the actual elapsed time value, I had to restart the device. So this only shows the latest session, not the total actual time.)

Please upload your pictures using the Attachments tab on the bottom of the site so that other ransomware victims can profit from your case as well.
Picture hoster come and go!

As for your question, we had an issue with Photorec which has been fixed but I am unsure if that took place before the tool for the Q-Ransomware came out, I will have to find out.

recuperation wrote: 11 Nov 2022, 21:29 Please upload your pictures using the Attachments tab on the bottom of the site so that other ransomware victims can profit from your case as well.

I was looking for an option to do that, but only checked the upper toolbar, so overlooked it at the bottom. My bad. Attachments added above.

recuperation wrote: 11 Nov 2022, 21:29 As for your question, we had an issue with Photorec which has been fixed but I am unsure if that took place before the tool for the Q-Ransomware came out, I will have to find out.

Thanks, let me know once you have any suggestions coming out of that. Is the version of photorec in the QRescue tool a special build, or only the default settings are specific?

You may get better results if you use the latest 7.2-WIP version from https://www.cgsecurity.org
Only scan Free space from the filesystem and store the recovered files on an external disk to avoid to overwrite lost data.

cgrenier wrote: 12 Nov 2022, 09:43 You may get better results if you use the latest 7.2-WIP version from https://www.cgsecurity.org

I downloaded the 7.2-WIP too, a month ago (for using testdisk actually, and for a different reason). That version has a timestamp from May-2021 for the executable and starts with May-2021 in the header text.
I see the same header for the one coming with QRescue, and the executable in that package has a June-2021 timestamp. Should I really expect them to work differently?

Do not rely on the version number to judge whether you are running the most recent version.
I just checked the linked Windows versions for 32 and 64 bit and the linux one at

https://www.cgsecurity.org/wiki/TestDisk_Download

They are dated the 3rd of November 2022.

recuperation wrote: 12 Nov 2022, 22:21 Do not rely on the version number to judge whether you are running the most recent version.
I just checked the linked Windows versions for 32 and 64 bit and ... They are dated the 3rd of November 2022.

Thanks. I was trying to figure this out by looking at the git repo, but the last tag is 7.1 so I got confused there.

Anyways, I have news.
After working for 5-7 days on the region of 3.19-3.40B sectors, it is now out of this vicious cycle, and suddenly started to progress at speed again.
In the past 6 hours or so it already created 90 new dirs with ~45'000 new files found (adding a total size of around 160GB), reaching sector #4.29B. So 0.9B new sectors (15%) in a couple of hours.
I checked the last few recup dirs of the slow portion if I can see any huge or otherwise interesting looking files, but couldn't see any pattern.
Hope this strange behavior does not repeat for the remaining 1.5B sectors....

I don't know what "B" should mean.

recuperation wrote: 13 Nov 2022, 09:47 I don't know what "B" should mean.

B as Billion

https://en.wikipedia.org/wiki/Binary_prefix

Do not use self-created abbreviations. B is not a valid prefix when talking about storage. Furthermore, a billion is 1.000.000.000 in the United States whereas one billion in Europe is 1.000.000.000.000.
If you are talking about a billion bytes this can either correspond to 1 TB or 1 GB.