Sorry to see you here, an other victim to eCh0raix. I know you are desperate now, i was too. Hope my experience can help you recover some of you photos.

My rescue is about recovering photos from my NAS, identifying thumbnails and original photos, and grouping massive photos so you can find what you need in recovered data

Background

The disaster happens to my sister on 21 Apr 2021. She has a QNAP TS-253A NAS, a 2-bay NAS, to backup her photos and videos in iPhone. One day, she found her photos became .encrypt. Since she lives very far away from me, I cannot access the NAS / HDD physically and I can only work remotely.

What you should do immediately

  1. If you know you are in the middle of a hack, e.g. you can see the ransomware running in Resource Monitor, you may have a chance to capture the key from that running process. But this needs some advanced technic.
  2. If you are not an IT guy, SHUTDOWN your NAS immediately.
  3. If you have RAID 1, pull out one of your HDD to preserve a copy of backup
  4. Ransomware needs to talk to hack's servers for command and control, so it's better to keep your NAS offline during the rescue. For direct connection, please check https://www.qnap.com/en/how-to/knowledge-base/article/how-to-set-up-a-direct-connection-test
  5. Now, you can login to NAS to see how much the damage is, and backup those files which are not encrypted.

Recovery

Recovery is not getting back 100% of encrypted data, it's just to minimise the damage. If you are looking for 100% recovery, you will need to pay the hacker for your key.

The idea of recovery is simple: since ransomware deleted the original files after encryption, the original files may still on the HDD. We can use PhotoRec to get them back.

Steps:

  1. Connect an external drive to NAS, make sure it has enough space

  2. Login via ssh

    Go to Control PanelAllow SSH connection

    Remember to turn it OFF after recovery

    Start a terminal in your computer, enter ssh admin@{Your NAS IP}. After login, press Q to go to the normal environment. Then you are inside the NAS.

    In my environment, my data is inside /share/CACHEDEV1_DATA . When an external HDD is connected, it appears in /share/external/DEV3301_2

  3. Download PhotoRec (I used PhotoRec 7.2), and execute it

curl -LO <https://www.cgsecurity.org/testdisk-7.2-WIP.linux26-x86_64.tar.bz2>
tar jxf testdisk-7.2-WIP.linux26-x86_64.tar.bz2
cd testdisk-7.2-WIP
./photorec_static
  1. Choose the drive need to recover