Skip to main content

Creating image from Qnap NAS

Thread needs solution
Beginner
Posts: 8
Comments: 10

Hi,

My Qnap NAS and thousands of others have been hqcked by ransomeware placing a .7z on all files which have been encrypted.

Can I take an image of the NAS to another Win10 x64 USN drive and mount it to see the files and hopefully deleted files?

Thanks

1 Users found this helpful
Legend
Posts: 105
Comments: 25746

David, if your NAS has been compromised by ransomware and the files encrypted, then any backup will only contain the same encrypted files.

I would recommend looking in the QNAP support forums for advice / guidance on how to approach this ransomware issue, i.e. whether anyone has released any decryption tools to use to try to rescue your files?

Forum Star
Posts: 190
Comments: 4433

As usual, Steve is giving excellent advice.

The file extension indicates they have been encrypted using 7zip. There is no way of knowing what, nasties are hidden within. I would only play with them on “throwaway” PC, without a connection to a network and no wifi capabilities. I would be circumspect about using a virtual machine, unless you are convinced it cannot communicate with the host.

Being one for abundant caution I would also disconnect the NAS from the network until it is clear that there’s no risk to computers on the network.

Ian

Legend
Posts: 105
Comments: 25746

See the following further information:

webpage: QNAP NAS devices under ransomware attack

webpage: Response to Qlocker Ransomware Attacks: Take Actions to Secure QNAP NAS

webpage: Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices

The above have advice on how to stop further infection etc.

Beginner
Posts: 8
Comments: 10

Many thanks guys for the help.

I have managed to retrieve 922,000 files from the NAS using PuTTy and PhotoRec to an external PC drive, however they have lost their filename s and are just numbered. You can image how much trouble it is going to be to match the files to get the correct filenames again.

This Ransomeware encrypted the files to 7z then dleeted the originals. To get them unecrypted they want what would be nearly 1k$ from me and I refuse to pay criminals. The files are still there as deleted so that is what I am trying to get with their correct orig names.

So, I did a TI 2016 image of the full NAS drive to the ext NTSC drive. It shows as a full tib with 3 adds.

I have also taken the drive out of the NAS (help from their forum) and have attached it using an USB adaptor. It shows are Disk 4 in my Win10x64 Disk Management.

I have the latest GetDataBack and want to access the tib so I can see iI can retrieve the deleted files with their filenames. This has worked for me with PC drives but I have never had to do this with a NAS (Linux).

I also want to try and use GetDataBack to access the actual NAS drive I now have on the ext USB.

I have contacted GDB support and await their help.

I am here as I see that GDB does not show the tib files in their, 'open an image' options, so not sure if it will work with my images.

Any help is appreciated.

Legend
Posts: 105
Comments: 25746

Any Acronis .tib archive files can only be opened by ATI and not by any third party tools.

You could restore these to a spare drive etc but if the backup is of the encrypted files, then you are in the same place.

Unfortunately when files are encrypted and the originals deleted, the extra processing on the drive can cause those deleted files to be overwritten as the process repeats, making recovery a whole lot harder!

I fully agree about not paying ransomware - doing so only rewards the criminals using this approach and encourages further use of the same.

Beginner
Posts: 8
Comments: 10

Thank you for the reply.

In my Win 10 x64PC  I just tried to mount the tib however it says it cannot, as there is no partition.

Is this normal with a NAS drive, maybe I should have imaged a different way?

The files and folders can still be seen in the NAS.

oz

Legend
Posts: 105
Comments: 25746

David, if your NAS drive uses Linux filesystem formatting, i.e. EXT4, then even if you could mount this in Windows, you wouldn't be able to read the contents of the drive!

With Files & Folders backup images, you should be able to double-click the file and open it in Explorer to see the contents if the backup was created from Windows using ATI.