Data Recovery After Ransomware on Servers & NAS
LockBit, BlackCat/ALPHV, Cl0p, Akira, DeadBolt, QLocker — recovery without paying ransom
Diagnosis:
Free
Free
Platforms:
Windows/Linux/NAS
Windows/Linux/NAS
From:
€2,200
€2,200
Emergency:
24-48h
24-48h
Success:
70-95%
70-95%
Ransomware in enterprise environments: the real threat
Enterprise ransomware is not the same as what affects a home PC. Today's ransomware groups attack complete infrastructures: servers, NAS, backups and virtual machines. Their goal is to paralyse the entire business to maximise payment pressure. According to INCIBE, Spain received over 120,000 cybersecurity incidents in 2025, with ransomware as the main threat to SMEs.
🦠 LockBit 3.0 / LockBit Black
The most globally active ransomware group. Encrypts Windows and Linux servers, ESXi virtual machines and shared volumes. Uses AES-256 + RSA-2048 encryption. The executable is deployed via Active Directory GPO to encrypt all domain machines simultaneously.
🐈 BlackCat / ALPHV
Written in Rust, cross-platform (Windows, Linux, ESXi). Known for «double extortion»: encrypts data and threatens to publish it. Specifically targets ESXi VMFS volumes and Hyper-V VHDX to paralyse the entire virtual infrastructure.
🔒 Cl0p
Specialises in exploiting file transfer vulnerabilities (MOVEit, GoAnywhere). Exfiltrates data massively before encrypting. Affects file servers, SQL databases and shared volumes on enterprise NAS.
🔐 Akira
Relatively new ransomware targeting SMEs through Cisco VPN without MFA. Encrypts Windows servers, Linux and NAS. Particularly aggressive with backups: actively seeks and destroys backups before encrypting production data.
🔒 DeadBolt (NAS)
Specific to QNAP and Synology NAS exposed to the internet. Encrypts files at the shared folder level with AES-128. Files appear with the .deadbolt extension. The NAS login page is replaced by the ransom note. Exploited vulnerabilities in QTS and Photo Station.
🔒 QLocker / eCh0raix (NAS)
QLocker uses 7-Zip to compress QNAP NAS files with a password. eCh0raix attacks Synology and QNAP NAS via SSH brute force or known vulnerabilities. Both are less sophisticated than LockBit but equally destructive to victim data.
Attack vectors: how ransomware gets in
- Exposed RDP (port 3389): The #1 vector in Spain. Windows servers with Remote Desktop accessible from the internet, weak passwords and no MFA. Attackers brute force or buy leaked credentials on dark web markets.
- VPN without MFA: Corporate VPNs (Cisco, Fortinet, Pulse Secure) without multi-factor authentication. Attackers use compromised valid credentials to access the internal network as a legitimate employee.
- Targeted phishing (spear phishing): Personalised emails with malicious attachments or links to malware download sites. The initial payload (Cobalt Strike, Brute Ratel) establishes persistence and moves laterally across the network.
- Exposed NAS vulnerabilities: Synology and QNAP NAS with ports 5000/5001/8080 directly accessible. CVE-2021-28799 (QNAP HBS3), CVE-2022-27593 (QNAP Photo Station), CVE-2021-28797 (Synology).
- Supply chain: Compromised legitimate software updates (SolarWinds/Kaseya case) that deploy ransomware through remote management tools (RMM) used by IT providers.
- Exchange Server exploitation: ProxyShell/ProxyLogon vulnerabilities in on-premise Microsoft Exchange. Attackers gain SYSTEM-level code execution and deploy ransomware across the entire domain.
What to do immediately after a ransomware attack
⚠ The first 30 minutes are critical. Follow these steps in order:
- Disconnect the network immediately. Unplug the network cable from affected servers. Do not shut down the machines (data in RAM may contain encryption keys), but isolate them from the network to stop lateral propagation.
- Do not pay the ransom. There is no guarantee you will receive the decryption key. Furthermore, paying funds criminal activity and makes you a recurring target. 80% of companies that pay are attacked again.
- Do not format or reinstall. Formatting destroys forensic evidence and possible recovery paths (shadow copies, snapshots, keys in memory). Do not reinstall Windows or the NAS operating system.
- Document everything. Screenshot of the ransom note, encrypted file extension, exact time of attack, affected machines. This information is critical to identify the ransomware variant.
- Contact professionals. A data recovery laboratory can analyse the variant, check if a public decryptor exists and propose alternative recovery strategies (shadow copies, RAID, snapshots).
- Report to INCIBE (017) and the National Police (Technology Investigation Brigade). It is mandatory for companies with personal data (GDPR Art. 33: notification within 72h to the DPA).
Our post-ransomware recovery approach
We do not depend on decryption. Our approach combines multiple techniques to maximise data recovery without paying ransom:
1
Variant identification
We analyse the ransom note, file extension and encryption patterns to identify the exact variant. We consult decryptor databases (No More Ransom, ID Ransomware) in case a public decryption tool exists.
2
Shadow copies and snapshots
Many ransomwares attempt to delete Windows Volume Shadow Copies (VSS), but do not always succeed 100%. We analyse the volume at disk level looking for residual shadow copies. On NAS, we look for Btrfs/ZFS snapshots that may have survived.
3
RAID reconstruction
If the server uses RAID, we clone all disks and virtually reconstruct the array. In many cases, the original (unencrypted) files remain in unoverwritten RAID sectors, especially if encryption was partial or interrupted.
4
Filesystem forensic analysis
Ransomware typically encrypts in-place (overwrites the file) or encrypt-and-delete (creates encrypted file + deletes original). In the second case, the original file remains on disk until its space is reused. Recovery via carving and journal analysis is viable.
5
Decryptor database
We maintain an updated database of public decryption keys and tools. When law enforcement dismantles a group (Hive case, LockBit case), keys are published. We check every case against available keys.
Cases we recover
💻 Encrypted virtual machines
Encrypted VMDKs on ESXi, encrypted VHDXs on Hyper-V. If the ransomware partially encrypted the VMFS datastore or if VM snapshots exist from before the attack, VM content recovery is viable. We also recover VMs from encrypted Veeam/NAKIVO backups.
🖥 Encrypted enterprise NAS
Synology, QNAP, WD My Cloud with shared folders encrypted by DeadBolt, QLocker, eCh0raix. Recovery via residual Btrfs snapshots, previous versions in @Recently-Snapshot, or carving of unoverwritten files in the file system.
🗃 Encrypted SQL databases
SQL Server (.mdf/.ldf), MySQL, PostgreSQL. Databases tend to be large files that ransomware encrypts partially (only the first few MB). Reconstructing unencrypted data pages allows recovery of a high percentage of records.
📦 Encrypted backups
Veeam (.vbk/.vib), Acronis (.tibx), Windows Server Backup, Time Machine. Attackers actively seek and destroy backups. If backups were on separate volumes, offline or with immutability enabled, they may be the primary recovery path.
Choose your service level
Three options tailored to your urgency and budget
Post-ransomware recovery timeframes and pricing
| Scenario | Description | Timeframe | Price |
|---|---|---|---|
| Encrypted NAS (DeadBolt/QLocker) | Synology/QNAP NAS with encrypted files. Recovery via snapshots, carving or known decryptor. | 4–12 days | €2,200–4,000 |
| Encrypted Windows server | Server with RAID + NTFS/ReFS encrypted. Shadow copies, journal analysis, RAID reconstruction. | 7–20 days | €3,500–6,000 |
| Encrypted VMs (ESXi/Hyper-V) | Encrypted VMDK/VHDX. VMFS reconstruction, VM snapshot analysis, data carving from VM. | 10–25 days | €4,000–8,000 |
| Emergency | Absolute priority. Dedicated 24/7 team including weekends. | 24–72h | +50% |
Frequently asked questions about server ransomware
Should ransomware ransoms be paid?
No. According to the FBI, Europol and INCIBE, paying the ransom does not guarantee recovery (only 65% of those who pay receive a functional decryptor), funds criminal organisations and makes the company a recurring target. Additionally, paying sanctioned groups (such as those linked to North Korea) can have legal consequences.
Is there a free decryptor for my ransomware variant?
It depends on the variant. The No More Ransom project (nomoreransom.org), backed by Europol, publishes free decryptors regularly. There are also tools from Kaspersky, Emsisoft and Avast for specific variants. Upload an encrypted file and the ransom note to ID Ransomware (id-ransomware.malwarehunterteam.com) to identify the variant and check for an available decryptor.
How do you recover data if the encryption is AES-256 and there is no decryptor?
We do not attempt to break the encryption (it is computationally infeasible). Our approach is to recover data without decrypting: undeleted Windows shadow copies, Btrfs/ZFS snapshots on NAS, original files deleted but not overwritten («encrypt-and-delete» type), previous versions in backups, data in free disk space. Success rate depends on the ransomware type and elapsed time.
My QNAP NAS was attacked by DeadBolt. What are the chances?
DeadBolt encrypts file by file with AES-128 and deletes the original. If your QNAP has Btrfs and had snapshots enabled, the original files may be intact in the snapshots. If the NAS uses EXT4, recovery depends on whether the deleted files' space has been overwritten. The sooner you act, the better: do not use the NAS for anything else, do not install updates, do not write new data.
Am I required to notify the Data Protection Authority about the attack?
If the ransomware affected personal data (customers, employees, suppliers), yes. GDPR (Art. 33) requires notification to the supervisory authority within a maximum of 72 hours from becoming aware of the breach. If there is high risk to the rights of data subjects, they must also be notified directly (Art. 34). Non-compliance can result in fines of up to 20 million euros or 4% of global turnover.
How long does it take to recover a server encrypted by LockBit?
LockBit encrypts rapidly (AES + RSA) and aggressively deletes shadow copies (vssadmin.exe delete shadows /all). Recovery depends on: (a) whether backups survived, (b) whether encryption was completed 100% or was interrupted, (c) whether the server uses RAID with residual data. Typical timeframe: 10-20 days for complete analysis + extraction. Emergency service: 3-7 days.
🚨 Has your server or NAS been encrypted by ransomware?
Do not pay the ransom. Do not format. Do not shut down the machines. Contact us now.
Every minute counts: data in RAM may contain encryption keys.
Or call us now: 900 899 002 — Business days 9:00–19:00
Service Available Across All Spain
Free collection* within 24h · 4-hour diagnosis · No recovery, no fee
Related Services
Get data recovery tips and alerts
Practical guides, news and tips to protect your data. No spam.
Stay updated
WhatsApp