Switch to full style
Anything related to computer forensics (new section!)
Post a reply

QNAP RAID-1 - Qlocker ransomware success recovery

May 18th, 2021, 8:24

Hello,

Last week, I got a customer with a QNAP RAID-1 infected by QLocker.

QNAP was considered as fully encrypted and ransomware process was completed. Customer couldn't get any data using normal way. He tried various trick he found on internet related to this subject, no luck.
https://www.qnap.com/static/landing/202 ... sponse/en/

I rebuild the RAID and did a RAW recovery. Result is really good, customer happy.

Thanks
Suricate.ch

Re: QNAP RAID-1 - Qlocker ransomware success recovery

May 19th, 2021, 9:50

Nice. Do you have some idea about percentage of files you were able to recover this way?

Re: QNAP RAID-1 - Qlocker ransomware success recovery

May 26th, 2021, 8:43

today, I got a feedback from customer, we recovered 80% of the pics/video.

Re: QNAP RAID-1 - Qlocker ransomware success recovery

May 26th, 2021, 10:23

Oh Nice!

Re: QNAP RAID-1 - Qlocker ransomware success recovery

July 26th, 2023, 18:02

Spotmen wrote:Hello,

Last week, I got a customer with a QNAP RAID-1 infected by QLocker.

QNAP was considered as fully encrypted and ransomware process was completed. Customer couldn't get any data using normal way. He tried various trick he found on internet related to this subject, no luck.
https://www.qnap.com/static/landing/202 ... sponse/en/

I rebuild the RAID and did a RAW recovery. Result is really good, customer happy.

Thanks
Suricate.ch


Considered fully encrypted by who?
A) A retard.
B) QNAP tech support (who couldn't care less about ransomware?)

If it was fully encrypted, there was no way rebuilding the raid and doing a raw scan give you the files back.

What happened was that the encryption was cut short and client got really lucky.

Re: QNAP RAID-1 - Qlocker ransomware success recovery

July 27th, 2023, 11:00

What happened was that the encryption was cut short and client got really lucky.


This is a thing I have seen happen. I once helped someone with a recovery (carving JPG's) and success rate was so good it really got me puzzled. After which I found large portion of files was never actually encrypted. In an other case I discovered encryption was only few directories deep. Deeper nested directories were fine. Ransomware encryptors need time and can contain bugs just like any other software.
Post a reply