A Guide to Recovering Your NAS Files from the QLocker QNAP NAS Malware Attack
Good news for those of you whose QNAP NAS systems were affected by the QLocker Malware attack last month – a recoverable solution has been produced by QNAP on this (with assistance from 3rd party open source project PhotoRec) that, although a little long and technical, is a great deal more understandable than many QLocker solutions that have appeared yet. This new method does not need users to open SSH on their system and although there is a degree of command/code entry involved, it is moderately straightforward and will hopefully allow you to avoid paying the ransomware fee to recover files. This method centres around file recovery, rather than breaking the encryption, so like any data recovery practice, this is not going to be tremendously quick – i.e. it will be largely dictated by the volume of files that need recovery. It will be interesting to see how much QNAP HQ have learned from this Qlocker business, what can be done to avoid this in future and if QRescue and collaborative builds with recovery software like PhotoRec can build towards a standardized NAS tool that can be used more generally in recovery in the future. Nevertheless, below is the guide that was provided by QNAP and includes tools and links to resources that will help you get the recovery completed.
Important Note – Do not attempt this ‘casually’. This method is by no means as intrusive as other methods in the last few weeks that involved messaging with the encrypted files themselves but IS a guide you should be prepared to action from beginning to end in a single session – so make sure you have allowed a good stretch of time to do this! Additionally, you WILL need access to an external Hard Drive/SSD that is 1.5-2 times the size of the data you are trying to recover, as additional space is liked needed during the recovery of files before they are completed. Make sure the external drive is EMPTY as it WILL be formatted.
Step By Step Guide to Recovering Encryptioned QNAP NAS files from QLocker
Make sure your QNAP NAS is running normally and no firmware/restarts are scheduled during the process of running PhotoRec or QRescue on your NAS. Additionally, another reminder that the external HDD/SSD that you use for the recovered files from QLocker WILL be formatted during following these steps. This Guide covers:
- Overview
- Requirements
Steps
- Part 1. Configure external HDD with the name “rescue” and create folders with the name “recup1” for recovery.
- Part 2. Download and Manually Install the QRescue App
- Part 3. Run PhotoRec
- Part 4. Run QRescue
- Part 5. Move the recovery data to your NAS.
Let’s begin.
Overview:
QRescue is the data recovery tool for Qlocker-encrypted 7z files. It contains:
- PhotoRec (Open Source Project / GNU General Public License / Project Link):
File recovery software designed to recover lost files from hard disks and CD-ROMs, and lost pictures (thus the Photo Recovery name) from the storage medium. - QRescue (Powered by QNAP):
The script to recover file structures from the encrypted 7z files and PhotoRec files.
Requirements:
- Download the QRescue app from this link.
https://download.qnap.com/QPKG/QRescue.zip - Prepare an external hard disk drive with a capacity larger than the total used storage space on your NAS.
- Note: It’s advised to prepare an external HDD with 1.5 to 2x free space than the total used storage space on your NAS. Additional space might be required during the recovery process. If the available space is less than the suggested value, error and other issues may occur.
- Note: It’s advised to prepare an external HDD with 1.5 to 2x free space than the total used storage space on your NAS. Additional space might be required during the recovery process. If the available space is less than the suggested value, error and other issues may occur.
Steps:
Part 1. Configure external HDD with the name “rescue” and create folders with the name “recup1” for recovery.
QRescue will process the recovery process to external drive first, and we need to do some configuration for this recovery process and create the specific destination and folder name.
- You need to prepare an external HDD that its usable capacity is larger than the total used storage size of your NAS. This is because you will recover the files to the external device first. Please check your used volume size first by clicking More > About on the QTS desktop.
- Insert the external drive to your NAS. Please go to Storage Manager > External Device > Select your external device > Click “Actions” > Click “Format” to format the external drive.
- The File System must be “EXT4”, and the Label name must be key in “rescue”. If these configuration is ready, please click “Format”
Notice:
The QRescue app will use “rescue” as the external drive name. If you use other names, the recovery process might fail. - (Optional) If you disable the admin account or you don’t use admin to login QTS, you might not see the external drive on the File Station. Please go to Control Panel > Privilege > Shared Folder > Edit Shared Folder Permission to enable or change read / write permission for “rescue” folder and to match the account that you log in the NAS.
- Sample:
Grant other administrator group account (Example: “_qnap_support” is the administrator group account for read/write permission to external hard drive naming “rescue”).
- Sample:
- Using File Station to check the volume for the correct external device name.
- Create the new folder and name as “recup1” (format: recup+{number}). If you have more than one storage volume, you need to add more folders for recovery.
Notice:
The QRescue app will use “recup+{number}” as the folder name. If you use other names, the recovery process might fail.Part 2. Download and Manually Install the QRescue App
This QRescue app is a special build. Therefore, you need to manually install this app from the QTS App Center.
- Please go to this link to download the QRescue app.
https://download.qnap.com/QPKG/QRescue.zip - Please go to App Center > Click Install Manually > Click Browse to find the QRescue app location on your computer.
- After selecting the app location, you can click Install. Wait until the installation completes and open the QRescue app on QTS desktop or side-bar.
- When you open the QRescue app, you will see the web console. It can help to run PhotoRec and QRescue to recover your files.
Part 3. Run PhotoRec
Running PhotoRec can help you to recover the lost files from hard disks to the external drive. Now you will recover the NAS files to the “recup1” (example: recup+{disk_number}) folder on the external drive.
- Type this command and press Enter on your keyboard. You will start to run PhotoRec.
Command:
photorec
- Use Up/Down arrows to choose the hard drive. And you can start to select the NAS disk for running recovery by PhotoRec.
- Sample:
- /dev/mapper/cachedev1 as 1st data volume
- /dev/mapper/cachedev2 as 2nd data volume
… - /dev/mapper/cachedev20 as 20th data volume
- Note:
You can check the number of data volumes in Storage & Snapshots > Storage/Snapshots
- Sample:
- Select the “ext4” partition and press “Enter”
- Select the file system as [ ext2/ext3 ] and click “Enter” key.
- Select the space as [ Whole ] and click the “Enter” key.
- Now we need to select the external device’s folder as the recovery destination.
- Source Destination: /share/external/DEV3301_01/qpkg/QRescue [QRescue qpkg]
- Recovery Destination: /share/rescue/recup1 [External Device]
- Click “..” to go back to the upper level folder
- Sample destination: External disk on QRescue app
- Sample: External Device (name: rescue) > Destination Folder (name: recup1)
- Sample destination: External disk on QRescue app
- Please click “C” on the keyboard when the destination is “/share/rescue/recup1”.
- Start to run the recovery process by PhotoRec. Now you can see the estimated time to completion.
- When you finish the PhotoRec, you can press enter when you select [Quit] or type in “ctrl-c” to exit.
Part 4. Run QRescue
Run QRescue can help you to recover the files retrieved by PhotoRec. Now you will recover the files from the “recup+{number}” folder to the “restore+{number}” folder which auto creates on your external drive.
- Type this command and click Enter on your keyboard. You will start to run QRescue.
Command:
qrescue.sh
- (Optional) If you have two or more data volumes on your NAS, the screen will let you select which data volume you will start the process. Please type the number and press “enter”. If you only have one data volume, you might not see this step.
- (Optional) Now you can see the progress for which files were completed in the recovery process.
- When all of the QRescue process is completed, the screen will show the result summary and the process for sending the system log.
- QRescue app also will send the event log to QuLog Center / System Log and notify you on finishing the whole recovery process. If you have opened the QNAP support ticket, don’t forget to make the feedback for your case. QNAP support team will help you to double check. Thank you very much.
Part 5. Move the recovery data to your NAS.
You can move the recovery data to your NAS by File Station
So, did this QLocker recovery guide work for you? How did you find the PhotoRec and QRescue applications did their job? Let me know in the comments and share with others how well/poorly this guide helped you recover your files from ransomware encryption.
Alternatively, If you still need help choosing the NAS solution for your needs, use the NASCompares free advice section below. It is completely free, is not a subscription service and is manned by real humans (two humans actually, me and Eddie). We promise impartial advice, recommendations based on your hardware and budget, and although it might take an extra day or two to answer your question, we will get back to you.
📧 SUBSCRIBE TO OUR NEWSLETTER 🔔
🔒 Join Inner Circle
Get an alert every time something gets added to this specific article!
This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below
Need Advice on Data Storage from an Expert?
Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry.(Early Access) The BEST Photographer and Video Editor NAS (2024)
(Early Access) COOL NAS UPGRADES (You might Not Know About)
(Early Access) UGREEN NAS SERIES - SHOULD YOU BUY?
(Early Access) DIY NAS - The Cost of Building a Synology NAS?
(Early Access) The Best DIY NAS Builds for Under $500
(Early Access) DIY NAS vs Lockerstor Gen 3 - IS IT WORTH $1299 ???
(Early Access) Lockerstor Gen 3 Series - SHOULD YOU BUY ONE?
(Early Access) Asustor ADM 5 Software Review - Should Synology Be Worried?
(Early Access) Best 8-Bay NAS of 2024
(Early Access) Best 4-Bay NAS of 2024
(Early Access) Best 2-Bay NAS of 2024
(Early Access) Best Value NAS of 2024 - SAVE SOME MONEY!
Access content via Patreon or KO-FI
I have malware on top of the qlocker files. So, my files have this extention: .7z.deadbolt. Is there a way to remove the .deadbolt then run the qrescue to remove the .7z?
REPLY ON YOUTUBE
Is there a way to delete the .7z files from my NAS once I have recovered and moved the recovered files back to the NAS ?
REPLY ON YOUTUBE
After trying for some time, I had to contact *SCOTTS_HACK* to help me get the deadbolt off my Nas. I’m free now….
REPLY ON YOUTUBE
After trying for some time, I had to contact *SCOTTS_HACK* to help me get the deadbolt off my Nas. I’m free now….
REPLY ON YOUTUBE
Good day all for DEADBOLT RANSOMWARE REMOVAL. consult *SCOTTS_HACK* Thank you
REPLY ON YOUTUBE
Good day all for DEADBOLT RANSOMWARE REMOVAL. consult *SCOTTS_HACK* Thank you
REPLY ON YOUTUBE
You’re ???? such a genius, I really appreciate your services, fast and safe recovery process.
REPLY ON YOUTUBE
You’re ???? such a genius, I really appreciate your services, fast and safe recovery process.
REPLY ON YOUTUBE
You’re ???? such a genius, I really appreciate your services, fast and safe recovery process.
REPLY ON YOUTUBE
You’re ???? such a genius, I really appreciate your services, fast and safe recovery process.
REPLY ON YOUTUBE
I was a victim of QNAP Qlocker where all my data was compressed. I managed to retrieve most of my stuff from old discs but lost 3 years of recent photos ????
QNAP support were more than useless and said it was basically my fault. I have now 3 copies of my data! Why is there so much bloatware that comes pre-installed on QNAP?
REPLY ON YOUTUBE
TS-219P II
REPLY ON YOUTUBE
Ever have the precess ‘stall-out’ at step 18? There has been no activity for hours however it has not moved to the quite screen in step 19. The destination folder is larger than the source, is this telling me it’s done?
REPLY ON YOUTUBE
13:05 “too soon…too soon” ????. I don’t think he got that
REPLY ON YOUTUBE
Less than a year later, here we are again with a new one….Deadbolt!
REPLY ON YOUTUBE
Does this still work? I can’t get it to load.
REPLY ON YOUTUBE
Great now I just need to find a “spare” 30TB external drive so I can finally get my files back….
REPLY ON YOUTUBE
I dont understand people storing all their backups locally. I have a TS-653D which is used as Plex and my personal storage, that system is linked to two offsite backups plus cloud.
REPLY ON YOUTUBE
I’m very new in the Qnap game but thank you for taking the time in doing this I’ve been using WD for over 10 years but it’s just too darn old with no updates so I looked at Qnap due to the hardware aspects I liked what I’ve seen I currently have a TS-932PX and added the memory to 16Gb I’m just using iron wolfs 8tbs and 120Gb in SSD’s RAID 5
REPLY ON YOUTUBE
I could not start QRescue although it asked to select 1 -0 disks without showing the contents of 1 or 0 after long time of recovery work. How can I start QRescue? It continues to ask the same question 1-0. Please kindly advise.
REPLY ON YOUTUBE
The boring dating profile intro was hilarious haha. He was a good guest, seems to know his stuff though he definitely said the hard truth which hurts lol. Learned a lot about truly backing up files. Also I will stop using my administrator account as my only account.
I never used the snapshots feature, unfortunately, since the whole Nas setup was confusing for me but now I see it is very important and I assume works like a Windows restore point.
I wish they were better at communicating this issue. I had to find out I was hacked months after. Only now realizing they sent one little email on this after the hack.
REPLY ON YOUTUBE
I really like you two guys Robbie and Eddie, thanks for what you are doing and keep up the good work!! Greetings from Sweden!
REPLY ON YOUTUBE