Ransomware Qlocker: How to restore your data (for the most part)

19. May, 2021

At the end of April thousands of QNAP users were hit by a ransomware attack. The hackers used an exploit to encrypt all the files on the NAS drives with 7-zip using a 32 character long key for an AES encryption. As ransom they wanted 0,01 Bitcoins, about 500 Dollars. Some were lucky, but some of the victims paid the ransom, but got no key to decrypt their files. In the meantime the amount was tripled to 0,03 Bitcoins.

 Qlocker 01Two Austrian security experts analyzed the method the hackers used and found out, that they made the mistake to delete the original files after encryption. So by undeleting the files on the ext4 partition you get most of your files back, but sadly with no meaningful names, without a directory structure and all with the same timestamp. What was needed, was a script that looks for the original names and timestamps. By matching the size and CRC32 of the original and the undeleted files most of the information is recoverable. But be aware that you will not get back all of your files!

Here is the writeup and the basic script to get the files back. In one instance it was able to recover about 90% of the files.

Download PDF

Download shell-script



Defense in Depth
Beat The Best
Microsoft Exchange
*IKARUS quick survey (Q1 / 2021): Cybersecurity in times of corona
Flash End