Recover QLocker Ransomware files with TestDisk

Possible Recovery Method for QLocker Encryption On Your QNAP NAS

As many of you may be aware, a number of QNAP NAS devices have been struck in the last week+ with a ransomware attack, dubbed QLocker. It appears the root method of this intrusion was through one of two command injection methods, made via vulnerabilities in the QNAP HBS and Multimedia Console and Media Streaming services add-on, which instructed the system to begin archiving smaller files into 7z (.7zip) archives, with a withheld key. Then a readme.txt file would be left with instructions of making a payment to the hackers in exchange for the password to extract your files. Since this attack has taken place, there have been several methods that have appeared on forums, Reddit, YouTube that offer potential solutions to this (without resorting to paying the hackers) with each having a varying degree of success based on the extent to which your QNAP NAS ha been hit. In the next week or so, I am contacting many of these users who have managed to find/create methods of QLocker file recovery, in efforts to share them here and get them seen by as many people as possible. The following guide was provided (and full credit to him!) by Reddit user Open_Bumhole and though he does highlight that this is based on the further guides provided over on BleepingComputer, he has handily created a more user-friendy version of the instructions in order to help those that might have been affected.

Below is a video detailing how to strengthen your NAS security. Though you can scroll right past if you like to see the guide provided by Reddit user Open_Bumhole to use TestDisk to recover your Encrypted Files.

The Full Reddit thread by Open_Bumhole can be found HERE and also has links to further useful resources to help others out if they are still without access to their data. It is worth remembering though that the following steps, although presented in a much more chewable fashion, this is still covering a process that most would consider highly technical. This method (and indeed any method that requires SSH and more invasive command lines) do have the potential to make things worse if followed poorly, so you should not attempt the following unless you know what you are doing and/or at a loss for any other option.

Using TestDisk to Attempt to Recover Qlocker Encrypted Files

Open_Bumhole: Haven’t seen this posted yet and it might really help if you don’t have recent backups or whatever. It’s inconvenient and will require a lot of manual organising once the files are recovered, but it’s working for me. The crux is that your unencrypted files are marked for deletion and may be recoverable if you act soon. This works even if you have restarted your nas since the attack

In the event these steps are difficult to follow, I’ve reworded them keeping the steps numbered the same. If it’s still difficult in places let me know and I’ll try to edit or clarify:

This fix works by recovering files that are marked as ‘deleted’ by the filesystem but are not yet overwritten by other files (the data is still there, just inaccessible / free to be overwritten)

Pre-requisites:

  • Try not to do anything that will write files to your NAS drive after the attack! The more data you modify, the more likely your NAS OS will overwrite some ‘deleted’ data.

  • Secure your NAS before beginning. The bare minimum is to make sure you have updated your NAS firmware, official apps, and malware remover, and ensure that the malware remover has deleted the ransomware. A next best step would be to disable UPnP in your router and to disable any QNAP apps you do not use on your NAS (HybridBackupSync, Multimedia Console, etc) and maybe make it completely inaccessible from the internet in general to prevent reoccurrence.

  • Enable SSH connections on your NAS if not already enabled and do not expose the port here to the internet (Control Panel -> Network & File Services -> Telnet/SSH -> Allow SSH Connection)

  • If you’re on windows, get an SSH client like PuTTY.

If you are uncomfortable navigating an ssh terminal, two useful commands are pwd which will show you the current directory that you are inside (e.g. /mnt/rescue-share) and ls which will list all files and directories in your current directory.

  1. Create a share drive on your computer. This will be used to store the recovered files so make sure you have enough space, instructions for Windows are here.

For the next steps, let’s assume the new share is accessible at \\MY-PC\qfix and my windows username is Tulip

Note that you might struggle to connect to this from the NAS if you don’t have a password on your computer account, so set one up temporarily. I think you can also bypass the share and just use plug an external drive into the NAS if you like/that’s easier but note that if the ransomware is active, this will get encrypted too!

2. Connect to your NAS via ssh. Host: {nas admin account name}@{nas address} e.g. admin@192.168.0.60. Port should be 22 or whatever you configured in control panel. Password is the NAS account password.

3. You’ll see a text-based menu titled “Console Management – Main menu”. Press Q to select Q: Quit (return to normal shell environment) and hit enter. Confirm this with Y and enter. You’ll now be at a raw ssh prompt looking like [~] # where you can enter commands.

4. Mount the shared drive from your PC onto your NAS so you can access it with these three commands:

mkdir /mnt/rescue-share
sudo mount -t  cifs -o user=<USERNAMEOFREMOTECOMPUTER> //XXX.XXX.XXX.XXX/<NAMEOFYOURSHARE> /mnt/rescue-share
cd /mnt/rescue-share

Where <USERNAMEOFREMOTECOMPUTER> is your computer (NOT NAS) username, XXX.XXX.XXX.XXX is the IP Address or hostname of your computer and <NAMEOFYOURSHARE> is the shared folder name. You should be prompted to enter your PC’s password to connect.

This creates the /mnt/rescue-share directory on your NAS and mounts the shared folder to it, then switches to that directory so you’re now inside that shared folder connected from your NAS. You can test it by entering touch hello to make a file called hello if you like.

Using the examples in step one, my command would be:

sudo mount -t  cifs -o user=Tulip //MY-PC/qfix /mnt/rescue-share

5. Enter the command uname -a and the prompt should return some text like:

Linux <NAS_NAME> 4.14.24-qnap #1 SMP Tue Mar 2 06:10:10 CST 2021 x86_64 GNU/Linux

Make a note of whether this text contains i386 or x86_64 near the end, which is your NAS’ architecture. We need this to choose the appropriate download for the next step.

6. Download the testdisk tool for your NAS’ architecture by entering one of the following commands:

i386: wget https://www.cgsecurity.org/testdisk-7.2-WIP.linux26.tar.bz2 -O testdisk.tar.bz2

x86_64: wget https://www.cgsecurity.org/testdisk-7.2-WIP.linux26-x86_64.tar.bz2 -O testdisk.tar.bz2

This will download a file called testdisk.tar.bz2 to your shared folder.

7. We need to decompress the tool. Use the command tar -xvf testdisk.tar.bz2 to do that. This will unpack it into a new folder, you’ll have to check exactly what it’s called by using the command ls or looking on your shared drive from your computer but for me it was testdisk-7.2-WIP. Go into that folder by typing cd followed by the folder name (e.g. cd testdisk-7.2-WIP). Once there, we need to change the permissions of the test tool so that we can execute it, do that by typing chmod +x ./photorec_static

8. We need to get the volume for your compromised drive. You can find it by entering the command df -h. Unfortunately this will differ NAS-to-NAS but if you haven’t got any particular wild setup, you’ll probably be looking for whatever is mapped to share/CACHEDEV1_DATA on the right hand side. Here’s an example output where the volume can be found to be /dev/mapper/cachedev1 (note: personally, this was the same for me!)

Example output:

Filesystem Size Used Available Use% Mounted on
none                    300.0M 272.7M 27.3M 91% /
devtmpfs                938.4M 8.0K 938.4M 0% /dev
tmpfs                    64.0M 3.1M 60.9M 5% /tmp
tmpfs                   949.7M 156.0K 949.6M 0% /dev/shm
tmpfs                    16.0M 0 16.0M 0% /share
/dev/mmcblk0p5            7.7M 46.0K 7.7M 1% /mnt/boot_config
tmpfs                    16.0M 0 16.0M 0% /mnt/snapshot/export
/dev/md9                493.5M 140.1M 353.4M 28% /mnt/HDA_ROOT
cgroup_root             949.7M 0 949.7M 0% /sys/fs/cgroup
/dev/mapper/cachedev1
                         898.3G 573.5G 324.3G 64% /share/CACHEDEV1_DATA
/dev/md13               417.0M 387.7M 29.3M 93% /mnt/ext
tmpfs                    48.0M 72.0K 47.9M 0% /share/CACHEDEV1_DATA/.samba/lock/msg.lock
tmpfs                    16.0M 0 16.0M 0% /mnt/ext/opt/samba/private/msg.sock
//XXX.XXX.XXX.XXX/share
                         1.8T 104.7G 1.7T 6% /mnt/samba_spar_abo_share

9. Open the recovery tool by entering the command sudo ./photorec_static.

10. You will be prompted to select a volume. Select the volume you noted from step 8 (e.g. /dev/mapper/cachedev1)

11. You will be prompted to select a partition or the whole volume. Mine was ext4, select whichever ext appears for you (ext2/3/4)

12. You will be prompted to select another partition. Select the one labelled ext2/ext3

13. Final set of options. Choose the one labelled “FREE”

14. The last choice is where you want the recovered files to be saved. It should show you a directory listing of your current directory which will be inside the tool’s folder and you should see a lot of files relating to the tool. If you select the .. option this will navigate up one level back to the root of the shared folder. Press c to confirm the recovery folder.

15. That’s it! It will take quite a while depending on how big your drive is, You’ll see a lot of files you don’t recognise, likely logs, since it’s recovering -everything- that was ever deleted from that volume (so long as it hasn’t been overwritten by a new file). It also can’t save their names, so prepare for a lot of manual renaming!

 

Thanks again to the Reddit user Open_Bumhole and his permission to publish the steps above.

For those of you who are not aware of the QLocker ransomware and its effect on some people’s QNAP NAS systems, watch the video below.

 

 

📧 LET ME KNOW ABOUT NEW POSTS 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,410 other subscribers

Get an alert every time something gets added to this specific article!


Want to follow specific category? 📧 Subscribe

This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

Need Advice on Data Storage from an Expert?

We want to keep the free advice on NASCompares FREE for as long as we can. Since this service started back in Jan '18, We have helped hundreds of users every month solve their storage woes, but we can only continue to do this with your support. So please do choose to buy at Amazon US and Amazon UK on the articles when buying to provide advert revenue support or to donate/support the site below. Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry.

    By clicking SEND you accept this Privacy Policy
    Question will be anonymously added on Q&A forum. You will receive an email from us when someone replies to it.

        Terms and Conditions Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.   This description contains links to Amazon. These links will take you to some of the products mentioned in today’s video. As an Amazon Associate, I earn from qualifying purchases

    DISCUSS with others your opinion about this subject.
    ASK questions to NAS community
    SHARE more details what you have found on this subject
    CONTRIBUTE with your own article or review. Click HERE
    IMPROVE this niche ecosystem, let us know what to change/fix on this site
    EARN KO-FI Share your knowledge with others and get paid for it! Click HERE

    ASK YOUR QUESTIONS HERE!

    73 thoughts on “Recover QLocker Ransomware files with TestDisk

    1. Have you done a video on how to set up let’s encrypt SSL for secure remote access to a NAS?

      I’m just a simple Plex user and moved awhile ago, that whole time my Nas was unplugged and unused for 2 years and I recently plugged it back in after setting up a media room. My NAS wouldn’t update firmware so I updated it manually with a flashdrive and I needed to make a whole new mycloud account for some reason. It’s been a pain getting it all set up but it’s currently in sleep mode. Am I still safe?

      I did manage to set up 2FA on admin and basic user account and I’ll see about setting up the X failed password revoking privileges
      REPLY ON YOUTUBE

    2. Hello sir .. recently (3 weeks ago) I brought home the QNAP TS-673A NAS. It is my first. I am a musician, looking for a less complicated, faster data throughput option mainly to avoid the audio sample libraries’ often AGONIZINGLY slow loading times. (The ‘less-complicated’ meaning that, I don’t want a setup like my current – every USB port on my laptop taken, including the Thunderbolt4 port acting as a “super-fast 3.1 Gen2 interface” to a StarTech Gen2 hub, with 4 short Gen2 cables out to portable WD Gen2 drives…) YES, it’s a nightmarish mess, but gets me the speed I want. But when I update the Kontakt library database for example, I need to scan 5 folders on 5 separate drives – instead of just 1, which I hope to achieve, and with similar speed, in my new QNAP setup.

      This would be up and running a few weeks ago, but I am busy touring with the band I play with this summer and seldom home on weekends. But in my research about QNAP NAS’s (including, thankfully, many of your fine contributions here on YT) .. it didn’t take long at all to learn of the security exploits and dreaded RW attacks. So my ‘rush’ to setup this NAS – turned into something not so rushed at all. One alternative, according to a review of my same product on Amazon, indicates the fellow used something called “TrueNAS Scale” – a freeware, open-source OS he claims to be much more secure than what QNAP offers, but what others say is incredibly complex and non-user-friendly.

      So right now, I sit on a day off with the NAS plugged in (not powered on) populated with 1 WD “Gold” Enterprise 8 TB drive, along with 4 WD “Red Plus” NAS 8 TB drives, ready for a RAID 5 configuration. My laptop’s Thunderbolt 4 port is connected to one of the NAS’s USB faster ports (not the slower USB-C which you rightfully ridiculed in your TS-873A review). The ‘Power’ button has not been pushed yet. I have a network connection ready for a cloud install when I finally turn it on, and I have your 2022 QNAP NAS Setup Guide series of 6? videos all cued up and ready to follow with precision. So I guess my only question is: IS IT SAFE, on this day, TO DO THE STANDARD QNAP QuTS “hero” install??? Or should I try the alternative TrueNAS Scale install, for which there are a few walkthrough videos I could follow as well? I’m leaning toward QNAP … but only if it is safe. Answers from anyone well-experienced NAS’ers are welcome too. Thanks you sir, and keep up the great work you do!
      REPLY ON YOUTUBE

    3. Worker with a reliable hacker is what I think is all over the world and I recommend a hacker parfait who works with good heart and sincerity Dee_hack11 is in Seoul☝️☝️☝️.
      REPLY ON YOUTUBE

    4. If i don’t have QNAP Cloud installed, does that mean that i am not connected to the internet?
      Is sending email notification not a good idea, considering i don’t want to link my NAS to the internet?
      REPLY ON YOUTUBE

    5. My company system was infected too. We all couldn’t use our computers because it spreads to everyone computer. Our manager has explained that he hire #GLOCYBER ON INSTAGRAM and he was able to fix it. At least, we could have our jobs again.
      REPLY ON YOUTUBE

    6. My mums computer was infected and she asked me to help her. Although I don’t know how to fix it so I contacted #GLOCYBER ON INSTAGRAM and he helped us. He charged us a bit but it was very affordable. Thanks to him.
      REPLY ON YOUTUBE

    7. I got infected too. It was annoying seeing your computer but can’t use it. I did asked my technician and he suggest I should contact #GLOCYBER ON INSTAGRAM. I did contact him and he was able to help me out.
      REPLY ON YOUTUBE

    8. Am a photographer and it affected all my clients files and pictures. It affects my animal documentation pics. I almost cried, then I make my research and found out that #GLOCYBER ON INSTAGRAM has been helping out. He did mine and thanks to him.
      REPLY ON YOUTUBE

    9. I got affected by the division of the virus. And I could not read for my exam because it encrypted all my lectures note. Thanks to my lecturer who recommended #GLOCYBER ON INSTAGRAM to help me recover my files. He did and am so happy.
      REPLY ON YOUTUBE

    10. Am a student too and it lock all my pdf and everything other thing in my laptop. Am so happy I got help from #GLOCYBER ON INSTAGRAM. He did a marvelous work and now I have all my files back.
      REPLY ON YOUTUBE

    11. I was dead in need of my computer. But I could not all because of this virus. I was recommended to #GLOCYBER on instagram and he responded to me and helped me fix my laptop.
      REPLY ON YOUTUBE

    12. Am able to contact #GLOCYBER on INSTAGRAM and I showed him what has happened to my computer. He was able to assist and get my computer free from the virus.
      REPLY ON YOUTUBE

    13. It was through the help of #GLOCYBER on instagram that we ware able to get our money photos decrypt. The virus has held all the pics in the system.
      REPLY ON YOUTUBE

    14. I found a legit cyber professional. He is #GLOCYBER on instagram. he was able to help me fix and decrypt all my encrypted files. Thanks to him for his kindness.
      REPLY ON YOUTUBE

    15. Contacting #GLOCYBER on instagram was the best thing I did after my files got infected. He quickly decrypt all my files and get me free from the virus.
      REPLY ON YOUTUBE

    16. This virus has been attached to my files for more than a week. It was my dad who directed me to #GLOCYBER on instagram and he was able to get rid of the virus. Thanks to him.
      REPLY ON YOUTUBE

    17. my files have been encrypted and I thought I would never use them again. My lecturer told me to reach #GLOCYBER on instagram and he was able to help me recover my files from the virus. Thanks to him.
      REPLY ON YOUTUBE

    18. My computer was affected too and it got stuck of all the virus. Thanks to my sister who had recommended #GLOCYBER on instagram. I search him on google and he responded to me. Thanks to him.
      REPLY ON YOUTUBE

    19. *I was hit, so unplugged, shutdown, external USB backs fine. Plex user, was watching at the time no issues, went to update saver denied, then found the splash screen, no on reboot, water gapped on an independent switch no WiFi etc, it instantly goes to initialization. So save to assume the service themselves have been affected. Did safe shutdown. After some time I turn on everything then I found out I’ve been truly hit by deadbolt. I did as many research as I could and I found out that scott can actually decrypt the encrypted files So I paid some money not upto what deadbolt team are asking, then he decrypted my files*
      REPLY ON YOUTUBE

    20. *I was hit, so unplugged, shutdown, external USB backs fine. Plex user, was watching at the time no issues, went to update saver denied, then found the splash screen, no on reboot, water gapped on an independent switch no WiFi etc, it instantly goes to initialization. So save to assume the service themselves have been affected. Did safe shutdown. After some time I turn on everything then I found out I’ve been truly hit by deadbolt. I did as many research as I could and I found out that scott can actually decrypt the encrypted files So I paid some money not upto what deadbolt team are asking, then he decrypted my files*
      REPLY ON YOUTUBE

    21. *I was hit, so unplugged, shutdown, external USB backs fine. Plex user, was watching at the time no issues, went to update saver denied, then found the splash screen, no on reboot, water gapped on an independent switch no WiFi etc, it instantly goes to initialization. So save to assume the service themselves have been affected. Did safe shutdown. After some time I turn on everything then I found out I’ve been truly hit by deadbolt. I did as many research as I could and I found out that scott can actually decrypt the encrypted files So I paid some money not upto what deadbolt team are asking, then he decrypted my files*
      REPLY ON YOUTUBE

    22. Forgive that this may be a stupid question. But – if you have a QNAP NAS plugged in to your computer – and your computer is connected to the internet – does that mean your NAS is connected to the internet also? Or – is the hacking security risk purely for if you choose to directly connect the NAS to the internet (and therefore if you don’t, you risk free)?
      REPLY ON YOUTUBE

    23. ????I was so glad when I finally realized and get in touch with Glo Cyber while I used the contact above. He is indeed a genius and his skill are authentic. I rec. everyone to appreciate his efforts.
      REPLY ON YOUTUBE

    24. I don’t have the QuFirewall and the SSecurity Counselor available sadly, at least it just doesn’t want to install. Probably because my NAS is way too old, running QTS 4.2.6
      REPLY ON YOUTUBE

    25. hello sir your videos is so helpfull for me but i am confuse with how to configure alnet ssystem software with qnap nas storage i have configure qnap nas storage raid 6 with 4tb *12 hdd 1 hdd in spare but i am able to see live video but not able save nas storage so can you help me how to add path in qnap nas storage for save recording. Thanks,Jerry Upadhyay
      REPLY ON YOUTUBE

    26. The little graphics was very helpful. I learned my lesson for sure on what having a backup actually means.

      I naively bought my NAS thinking it would be my own little personal cloud machine and sole backup (thinking raid would keep me safe forever) for my documents, photos, and videos.

      Now I realize I’m going to still have to spend more money on cloud services and be very careful with my qnap nas.

      I was immediately thinking of switching to Synology since you said it’s more user friendly and all I really use my NAS for is backup and as a cloud drive to put my files into it and be able to retrieve them on my phone. Unfortunately, from what I’ve seen on the appstore the other Nas company apps look like they are just as rough, slow, and confusing to use as Qnap’s (Qmanager and Qfile). I don’t understand how “downloads” and “Qsync” works on Qfile for example so I’ve been just moving files manually as I would on any other cloud app.

      For now I’m staying with my TS-453D.
      But still have mixed feelings about it.
      REPLY ON YOUTUBE

    27. I wish I saw this video before ???? apparently Qnap got hit with a massive ransomware attack this year and I had no idea. My files are all encrypted by some hacker asking for Bitcoin in exchange for passwords ????
      REPLY ON YOUTUBE

    28. So I got stung by the Qlocker ransom ware attack and apparently it was caused by a back door issue relating one of the apps, hybrid desk station? I can’t recall I was too busy fuming at how a company could have this vulnerability. And I do appreciate the support the qnap staff have tried to give in recovering the files and data, but when the process broke down and they let communication fade, with lack of support to get a resolution I soon lost patients with them and decided to let go of some files. I thankfully did have back ups but when your sync does the backing up it basically just had a knock on effect so ran some files where synced to pc, and a back up hard drive before I had noticed. Thankfully larger files where left and they only went after the smaller file sizes.

      Anyway long story short, always back up your data manually on an off line hard drive. This is the only real way you can secure a true back up of your files. Thankfully an old NAS gave that option to me.
      REPLY ON YOUTUBE

    29. Changing the default port does not enhance security. Security by obscurity. Port scanners can detect open ports it might fool some scripts.

      Most people who serious about securing administrative interfaces dont expose them directly to the internet period.
      Thats terrible terrible terrible security pratice.

      A seperate vpn server with a dedicated vlan for admin is what you should be using to secure the admin interface and remotely managing the nas.

      Example
      Setup vlan 100 for management
      Setup vlan 201 for cifs
      Setup vlan 202 for iscsi

      Setup vlan 300 for public network (internet)

      Setup vpn server in dmz with one arm into the public network (300) another arm into vlan 100.
      Setup logging and auditing.
      Ensure 2fa exists for vpn service.

      The qnap should have ports trunked with vlan 100,201,202 or dedicated ports.
      Assign the services ip addresses in each of the ranges.

      I never ever bother changing port numbers it simply offers very little security and may just elude some scripts scanning on certain ports
      REPLY ON YOUTUBE