NAS포럼 입니다.

msolav, on 23 Apr 2021 - 12:33 AM, said:

 

mai2vin, on 22 Apr 2021 - 11:55 PM, said:

It is working fine. The perpetrator has archived the files to 7z. So the source file is deleted and will be compressed to the 7z archive. Because of that, the tool has the possibility to restore the files from the sectors.
Here you can see my progress. The files and pictures are there without any problems.

 

https://imgur.com/oSqmfyl

 

mai2vin, this could save a lot of people if it can be a method everyone is able to apply.

Could you explain how you specifically achieved this? I'm a bit stuck at:

1. mounting the network as a local disk

2. using TestDisk to actually scan the specific .7z files (or any other method to retrieve the lost data).

 

My Steps:

FIRST: NO WRITING/CHANGE/DELETE/CRTEATE FILES AFTER ENCRYPTION ATTACK

MAKE SURE THE NAS IS NOT AVAILABLE IN THE INTERNET, DELETE ALL EXPOSED HOST RULES ON YOUR ROUTER

The files are deleted after archiving and encrypting with 7z and exists in the not allocated space of your disk.

You need to have access the ssh terminal of your QNAP NAS (you can activate it over the GUI it doesn't change your data)

1. Create a samba share on your windows computer (yes it should be work on linux or macOS but I didn't tried it)

HowTo: https://pureinfotech.com/setup-network-file-sharing-windows-10/

You should use your Windows Account with a password (if your account haven't one, create it. You can delete it after recovering)

2. Login over SSH (Putty on Widows) on your NAS. You should use ypur admin credentials to login.

3. After Login you get an screen with some option. You didn't need it ant press only 'Q'. (Confirm it with 'Y') You should get a shell.

4. Connect to your samba share:

mkdir /mnt/rescue-share
sudo mount -t  cifs -o user=<USERNAMEOFREMOTECOMPUTER>//XXX.XXX.XXX.XXX/<NAMEOFYOURSHARE> /mnt/rescue-share
cd /mnt/rescue-share

5. look for your architecture (uname -a) for i386 or x86_64

Linux NAS-XXXX 4.14.24-qnap #1 SMP Tue Mar 2 06:10:10 CST 2021 x86_64 GNU/Linux

6. Download testdisk

i386: wget https://www.cgsecurity.org/testdisk-7.2-WIP.linux26.tar.bz2 -O testdisk.tar.bz2
x86_64: wget https://www.cgsecurity.org/testdisk-7.2-WIP.linux26-x86_64.tar.bz2 -O testdisk.tar.bz2

7. Untar testdisk, go to the directory and change the permissions of the executable

tar -xvf testdisk.tar.bz2
cd testdisk*
chmod +x ./photorec_static

8. Search for your volume. At me it was '/dev/mapper/cachedev1' (You can use df -h for it) and note it

FilesystemSizeUsedAvailableUse%Mounted on
none                    300.0M272.7M27.3M91%/
devtmpfs                938.4M8.0K938.4M0%/dev
tmpfs                    64.0M3.1M60.9M5%/tmp
tmpfs                   949.7M156.0K949.6M0%/dev/shm
tmpfs                    16.0M016.0M0%/share
/dev/mmcblk0p5            7.7M46.0K7.7M1%/mnt/boot_config
tmpfs                    16.0M016.0M0%/mnt/snapshot/export/dev/md9                493.5M140.1M353.4M28%/mnt/HDA_ROOT
cgroup_root             949.7M0949.7M0%/sys/fs/cgroup
/dev/mapper/cachedev1
                        898.3G573.5G324.3G64%/share/CACHEDEV1_DATA
/dev/md13               417.0M387.7M29.3M93%/mnt/ext
tmpfs                    48.0M72.0K47.9M0%/share/CACHEDEV1_DATA/.samba/lock/msg.lock
tmpfs                    16.0M016.0M0%/mnt/ext/opt/samba/private/msg.sock
//XXX.XXX.XXX.XXX/share1.8T104.7G1.7T6%/mnt/samba_spar_abo_share

9. open photorec_static with 'sudo ./photorec_static'
 

10. choose the /dev/mapper/cachedev1 disk (it should be the disk from step 8)

11. choose the ext2/3/4 partition

12. choose ext2/ext3 option
13. choose FREE option

14. chosse the directory you want on the share (if you follow exactly the steps, you only need to select once '..' and after it press c)

15. wait and the files would be recover in folders named 'recup_dir.X' on the share

16. sort the results (HAVE FUN xD)

Big thanks to the guys of received.eu and Tobias Vorwachs (https://twitter.com/tobias_vorwachs) for the help!