Reallocate Data on Removed Drive set in RAID 1 (QLocker Recovery)

Questions about SNMP, Power, System, Logs, disk, & RAID.
Post Reply
msolav
New here
Posts: 2
Joined: Thu Apr 22, 2021 10:16 pm

Reallocate Data on Removed Drive set in RAID 1 (QLocker Recovery)

Post by msolav »

Hello everyone,

I've got a TS-551 (three hard-disk, two SSD) NAS from QNAP.
The configuration was 2x4TB and 1x8TB.
The 8TB drive basically mirrored the two 4TB drives in a RAID1 configuration.

When I got hit by the QLocker ransomware, my immediate response was to turn-off the device and remove the 8TB copy.
I am now in the process of recovering some of the lost data by plugging the 8TB onto a PC using a SATA to USB cable.
However, it seems the data is now malformed by this removal of the drive.

More specifically, the memory is not allocated - and I know that I could put back the drive into the QNAP device to "fix" this (resync the drives in RAID1).
However, I'm looking for a way to avoid doing that, as the 4TB pair has been written-on and some of the files I want to recover might have been corrupted.
What would you folks recommend doing to reallocate the data directly from a PC (or a Mac)?

To be more specific, I need to allocate the space because the data maliciously encrypted by QLocker can still be found in the remaining unallocated space, and it would go a lot faster to scan that remaining space rather than the full disk.

Thank you in advance for any advice you can think of!
msolav
New here
Posts: 2
Joined: Thu Apr 22, 2021 10:16 pm

Re: Reallocate Data on Removed Drive set in RAID 1 (QLocker Recovery)

Post by msolav »

Alright, an important update for anyone who might take interest in this.
I'm actually getting extremely nervous and feeling distress over the issue, and perhaps I should have taken more precaution.

So first, I might have screwed up.
I have decided to reinsert the removed drive back into the NAS, hoping that it would easily be able to Rebuild the RAID-1 configuration (as it had done in the past).

However, this happened:
As expected, the drive showed as "Degraded" and I was asked to Rebuild it.
The word "Recover" also popped, which is the last option I was able to click on.
It is worth mentioning that the NAS has decided that I should put the drives in a RAID-5 configuration (the reason why eludes me),
and I did not think to verify the implications of this before proceeding - this is in fact what worries me most here.

Now the other stressful incident is that the Web-Interface suddenly became inaccessible from there on.
The disks seem to be quite actively working. But there is no way to get any feedback as to what precisely is going on,
if anything is actually going on, when it'll end or when I'll be able to access the web-interface again.

At this point, I feel that the worst thing to do would be to intervene in any way and hope that it somehow Rebuilds everything and all the data is intact.
That would only be a partial relief, as this probably implies that all the unallocated data that I was counting on to retrieve the QLocker-encrypted data
has been overwritten enough that it is completely corrupted and hopelessly irretrievable. This is likely, and precisely what I had hoped to avoid.
There is still a chance that the NAS found no reason to touch the unallocated space (best case scenario).

The other possible worst-case scenario is that something bad is going-on at the very moment and that even more data might be at stake.
There seems to be no way to tell. I've sent a support ticket to QNAP because I'm going through a lot of distress over the potential loss of this data.

QLocker already nearly got me in a complete nervous-breakdown, and I regret not having ordered a new 8TB to simply copy everything to be put in a safe.
Any help or thought at this point would mean a lot. Thank you.
Post Reply

Return to “System & Disk Volume Management”