“Our QNAP NAS server was hacked and encrypted. Please help! Can we recover our data?”
“Our ASUSTOR NAS server was attacked by ransomware. Please help! Can we recover our data?”
Here is how you can recover files from a hacked and encrypted NAS server. It doesn’t necessarily need to be QNAP – but that brand was hit particularly badly in June 2020. Please take note – the server is a crime scene, just like you have seen on TV. You should take caution when ‘touching’ it as every move you make in and around the hacked machine is tampering with:
- The evidence could show how it happened, why, and how you can prevent it in the future
- The chances to recover the files from that server
Here is how these hacks usually happen and how NAS servers get encrypted by hackers
Hacking and encrypting NAS servers is incredibly profitable for criminals globally. The risks are low, and the chances of a financial reward when the victim pays the ransom are high. If they encrypted some poor bloke’s home computer, chances are it will simply get reinstalled. But if they encrypt a company’s NAS storage, the data in it is vital to the company operations and, if not restored, could even mean the business going bankrupt. As hackers operate with Bitcoin or other cryptocurrencies, it is incredibly difficult (but not impossible) to trace the money back to them.
They seek vulnerable NAS servers globally using automated vulnerability scanners and attempting to guess passwords to them. Once a vulnerability is found, or a password is guessed, they log in and run an encryption program.
The image above is a technical diagram of how hackers attack a NAS server before encrypting all the data on it. What you should be looking at as the initial vector of compromise is the first column: “Initial Access.” If you ask “how it happened” – the answer usually lies there.
The hackers usually have more objectives than encrypting your NAS.
What are they?
- Make money
- Retain control of the server until they make money
- If the victim refuses to pay, they must ‘convince’ the victim to do it. How?
- They take a copy of all data before encrypting it and download it to their computers.
- This data is then analyzed for blackmail opportunities. They could blackmail the victim company and/or its clients. So you see how quickly their monetization opportunities grow.
- We have also seen cases when the hackers start blackmailing the company’s employees and management with personal data stored in the data stolen.
- If you change all passwords on that NAS server, it’s still not secure. Hackers usually install hidden backdoors in the server. Those backdoors or rootkits then monitor every login, see very new password entered, and can regain control of the server any time they want.
- If they don’t make money by ransom, they can still utilize the server for ‘mining’ cryptocurrency, in other words, use its computing resources. We have also seen cases where compromised NAS storage servers were used to distribute adult pornography or pirated content for which the victim company could be liable.
Every second that the server is running, you run the following risks:
- The Operating System, the applications installed, and services running produce thousands of write operations per second. Every write operation overwrites recoverable files, this is how operating systems and applications work. Every second of the compromised NAS server being on, you lose more and more of the recoverable data. Shut it down!
- Make a forensic copy of the disks. If it is a virtual machine, you are in luck – just copy (a full copy, no snapshots!) the virtual machine. Then make a bit-by-bit copy of the virtual machine disk file. Use FTK Imager to make a forensic copy of any disks, files, or virtual machines. Use regular copy only if using forensic imaging software is impossible.
- If possible, do all of the above while making sure the network is disconnected. Even if you changed all passwords for accessing the server, if there is a rootkit or a backdoor installed, the hackers are with you there and can continue causing damage, leaking data, encrypting files again.
- Start the recovery process by powering on a new server with a copy of the copy of the disks. Alternatively, power on a copy of the copy of the virtual machine. Never touch the original copy of the infected server’s drives! It is your only chance of having untampered evidence and untampered data to work with for the file recovery.
- Never trust the initially infected or compromised NAS server again. Hackers are incredibly good at hiding backdoors – some have taken up to 8 years to be discovered by security companies. Consider ALL passwords ever used to access that NAS server compromised – never use them again and if you still use them somewhere else, change them – because the hackers now know them. If you used a pattern – never use that password pattern again. Any credentials used by your IT team to access that server are now, possibly, compromised. They should also be changed to an entirely new password. No more P@ssw0rd123s!
- Install a new NAS server, from scratch, and start uploading clean data on it only after hardening it against a breach. That means:
- Follow the DISA STIG guidelines for security hardening, depending on the Operating System of the server.
- Update all software on the server, not just the Operating System – if that software has a STIG for it, use it.
- Use 25+ character passwords, unique to this server.
- If possible, enable 2-factor authentication for logging in as an Administrator to the server. It is your NAS server, a password alone mustn’t grant access to it.
- Decryptors for encrypted NAS servers usually become available after a while. It could be a week; it could be six months or a year, or never. Preserve the original forensic copy in secure storage if file recovery was impossible. Check what was the encryption method used and monitor for the availability of a decryptor.
If you want to see how to prevent this before it even happens, head over to our cybersecurity services page – there are 14 different ways we can fight against hacking attacks. Not even one of them is an antivirus.
Finally, we are here to help. Use the emergency number on the top of this page or head over to our contact page - we will assist you immediately.
We help first and bill second only after and if you agree to the price.