Recover QLocker Ransomware files with TestDisk

Possible Recovery Method for QLocker Encryption On Your QNAP NAS

As many of you may be aware, a number of QNAP NAS devices have been struck in the last week+ with a ransomware attack, dubbed QLocker. It appears the root method of this intrusion was through one of two command injection methods, made via vulnerabilities in the QNAP HBS and Multimedia Console and Media Streaming services add-on, which instructed the system to begin archiving smaller files into 7z (.7zip) archives, with a withheld key. Then a readme.txt file would be left with instructions of making a payment to the hackers in exchange for the password to extract your files. Since this attack has taken place, there have been several methods that have appeared on forums, Reddit, YouTube that offer potential solutions to this (without resorting to paying the hackers) with each having a varying degree of success based on the extent to which your QNAP NAS ha been hit. In the next week or so, I am contacting many of these users who have managed to find/create methods of QLocker file recovery, in efforts to share them here and get them seen by as many people as possible. The following guide was provided (and full credit to him!) by Reddit user Open_Bumhole and though he does highlight that this is based on the further guides provided over on BleepingComputer, he has handily created a more user-friendy version of the instructions in order to help those that might have been affected.

Below is a video detailing how to strengthen your NAS security. Though you can scroll right past if you like to see the guide provided by Reddit user Open_Bumhole to use TestDisk to recover your Encrypted Files.

The Full Reddit thread by Open_Bumhole can be found HERE and also has links to further useful resources to help others out if they are still without access to their data. It is worth remembering though that the following steps, although presented in a much more chewable fashion, this is still covering a process that most would consider highly technical. This method (and indeed any method that requires SSH and more invasive command lines) do have the potential to make things worse if followed poorly, so you should not attempt the following unless you know what you are doing and/or at a loss for any other option.

Using TestDisk to Attempt to Recover Qlocker Encrypted Files

Open_Bumhole: Haven’t seen this posted yet and it might really help if you don’t have recent backups or whatever. It’s inconvenient and will require a lot of manual organising once the files are recovered, but it’s working for me. The crux is that your unencrypted files are marked for deletion and may be recoverable if you act soon. This works even if you have restarted your nas since the attack

In the event these steps are difficult to follow, I’ve reworded them keeping the steps numbered the same. If it’s still difficult in places let me know and I’ll try to edit or clarify:

This fix works by recovering files that are marked as ‘deleted’ by the filesystem but are not yet overwritten by other files (the data is still there, just inaccessible / free to be overwritten)

Pre-requisites:

• Try not to do anything that will write files to your NAS drive after the attack! The more data you modify, the more likely your NAS OS will overwrite some ‘deleted’ data.

• Secure your NAS before beginning. The bare minimum is to make sure you have updated your NAS firmware, official apps, and malware remover, and ensure that the malware remover has deleted the ransomware. A next best step would be to disable UPnP in your router and to disable any QNAP apps you do not use on your NAS (HybridBackupSync, Multimedia Console, etc) and maybe make it completely inaccessible from the internet in general to prevent reoccurrence.

• Enable SSH connections on your NAS if not already enabled and do not expose the port here to the internet (Control Panel -> Network & File Services -> Telnet/SSH -> Allow SSH Connection)

• If you’re on windows, get an SSH client like PuTTY.

If you are uncomfortable navigating an ssh terminal, two useful commands are pwd which will show you the current directory that you are inside (e.g. /mnt/rescue-share) and ls which will list all files and directories in your current directory.

1. Create a share drive on your computer. This will be used to store the recovered files so make sure you have enough space, instructions for Windows are here.

For the next steps, let’s assume the new share is accessible at \\MY-PC\qfix and my windows username is Tulip

Note that you might struggle to connect to this from the NAS if you don’t have a password on your computer account, so set one up temporarily. I think you can also bypass the share and just use plug an external drive into the NAS if you like/that’s easier but note that if the ransomware is active, this will get encrypted too!

2. Connect to your NAS via ssh. Host: {nas admin account name}@{nas address} e.g. admin@192.168.0.60. Port should be 22 or whatever you configured in control panel. Password is the NAS account password.

3. You’ll see a text-based menu titled “Console Management – Main menu”. Press Q to select Q: Quit (return to normal shell environment) and hit enter. Confirm this with Y and enter. You’ll now be at a raw ssh prompt looking like [~] # where you can enter commands.

4. Mount the shared drive from your PC onto your NAS so you can access it with these three commands:

mkdir /mnt/rescue-share
sudo mount -t  cifs -o user=<USERNAMEOFREMOTECOMPUTER> //XXX.XXX.XXX.XXX/<NAMEOFYOURSHARE> /mnt/rescue-share
cd /mnt/rescue-share

Where <USERNAMEOFREMOTECOMPUTER> is your computer (NOT NAS) username, XXX.XXX.XXX.XXX is the IP Address or hostname of your computer and <NAMEOFYOURSHARE> is the shared folder name. You should be prompted to enter your PC’s password to connect.

This creates the /mnt/rescue-share directory on your NAS and mounts the shared folder to it, then switches to that directory so you’re now inside that shared folder connected from your NAS. You can test it by entering touch hello to make a file called hello if you like.

Using the examples in step one, my command would be:

sudo mount -t  cifs -o user=Tulip //MY-PC/qfix /mnt/rescue-share

5. Enter the command uname -a and the prompt should return some text like:

Linux <NAS_NAME> 4.14.24-qnap #1 SMP Tue Mar 2 06:10:10 CST 2021 x86_64 GNU/Linux

Make a note of whether this text contains i386 or x86_64 near the end, which is your NAS’ architecture. We need this to choose the appropriate download for the next step.

6. Download the testdisk tool for your NAS’ architecture by entering one of the following commands:

i386: wget https://www.cgsecurity.org/testdisk-7.2-WIP.linux26.tar.bz2 -O testdisk.tar.bz2

x86_64: wget https://www.cgsecurity.org/testdisk-7.2-WIP.linux26-x86_64.tar.bz2 -O testdisk.tar.bz2

This will download a file called testdisk.tar.bz2 to your shared folder.

7. We need to decompress the tool. Use the command tar -xvf testdisk.tar.bz2 to do that. This will unpack it into a new folder, you’ll have to check exactly what it’s called by using the command ls or looking on your shared drive from your computer but for me it was testdisk-7.2-WIP. Go into that folder by typing cd followed by the folder name (e.g. cd testdisk-7.2-WIP). Once there, we need to change the permissions of the test tool so that we can execute it, do that by typing chmod +x ./photorec_static

8. We need to get the volume for your compromised drive. You can find it by entering the command df -h. Unfortunately this will differ NAS-to-NAS but if you haven’t got any particular wild setup, you’ll probably be looking for whatever is mapped to share/CACHEDEV1_DATA on the right hand side. Here’s an example output where the volume can be found to be /dev/mapper/cachedev1 (note: personally, this was the same for me!)

Example output:

Filesystem Size Used Available Use% Mounted on
none                    300.0M 272.7M 27.3M 91% /
devtmpfs                938.4M 8.0K 938.4M 0% /dev
tmpfs                    64.0M 3.1M 60.9M 5% /tmp
tmpfs                   949.7M 156.0K 949.6M 0% /dev/shm
tmpfs                    16.0M 0 16.0M 0% /share
/dev/mmcblk0p5            7.7M 46.0K 7.7M 1% /mnt/boot_config
tmpfs                    16.0M 0 16.0M 0% /mnt/snapshot/export
/dev/md9                493.5M 140.1M 353.4M 28% /mnt/HDA_ROOT
cgroup_root             949.7M 0 949.7M 0% /sys/fs/cgroup
/dev/mapper/cachedev1
                         898.3G 573.5G 324.3G 64% /share/CACHEDEV1_DATA
/dev/md13               417.0M 387.7M 29.3M 93% /mnt/ext
tmpfs                    48.0M 72.0K 47.9M 0% /share/CACHEDEV1_DATA/.samba/lock/msg.lock
tmpfs                    16.0M 0 16.0M 0% /mnt/ext/opt/samba/private/msg.sock
//XXX.XXX.XXX.XXX/share
                         1.8T 104.7G 1.7T 6% /mnt/samba_spar_abo_share

9. Open the recovery tool by entering the command sudo ./photorec_static.

10. You will be prompted to select a volume. Select the volume you noted from step 8 (e.g. /dev/mapper/cachedev1)

11. You will be prompted to select a partition or the whole volume. Mine was ext4, select whichever ext appears for you (ext2/3/4)

12. You will be prompted to select another partition. Select the one labelled ext2/ext3

13. Final set of options. Choose the one labelled “FREE”

14. The last choice is where you want the recovered files to be saved. It should show you a directory listing of your current directory which will be inside the tool’s folder and you should see a lot of files relating to the tool. If you select the .. option this will navigate up one level back to the root of the shared folder. Press c to confirm the recovery folder.

15. That’s it! It will take quite a while depending on how big your drive is, You’ll see a lot of files you don’t recognise, likely logs, since it’s recovering -everything- that was ever deleted from that volume (so long as it hasn’t been overwritten by a new file). It also can’t save their names, so prepare for a lot of manual renaming!

 

Thanks again to the Reddit user Open_Bumhole and his permission to publish the steps above.

For those of you who are not aware of the QLocker ransomware and its effect on some people’s QNAP NAS systems, watch the video below.

 

 

📧 SUBSCRIBE TO OUR NEWSLETTER 🔔

🔒 Join Inner Circle

This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

Need Advice on Data Storage from an Expert?

Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry. TRY CHAT Terms and Conditions   Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.

☕ WE LOVE COFFEE ☕

  This description contains links to Amazon. These links will take you to some of the products mentioned in today’s video. As an Amazon Associate, I earn from qualifying purchases