🇧🇪 Dafotec Belgique · ISO 5 cleanroom laboratory in Roubaix since 2004FR·EN · 🇫🇷 France · 02 586 31 10
Dafotec BelgiumData recovery02 586 31 10
Case study · Synology NAS — ransomware

An encrypted NAS, 24 TB and zero ransom

E-commerce SMB in Charleroi, Monday morning: every NAS file has an unknown extension and a ransom note. The eCh0raix ransomware hit the DS920+. Yet seven days later, business resumed — without paying the attackers a cent.

DeviceSynology DS920+
Recovered24 TB
Turnaround7 days
Ransom paid€0

The context

An e-commerce SMB in Charleroi centralizes on a Synology DS920+ NAS (4 × 8 TB in SHR, i.e. 24 TB usable) its product sheets, visuals, invoices and customer databases. One Monday morning, nothing is readable: every file carries a foreign extension, and a note demands a cryptocurrency payment. Diagnosis: eCh0raix, a ransomware specifically targeting QNAP and Synology NAS.

The IT team's reflex was right: immediately disconnect the NAS from the network and try nothing. That's what changed everything.

What you must never do. Pay the ransom (nothing guarantees the key), delete the encrypted files, recreate the volume, or leave the NAS connected. And above all: don't delete the snapshots — that's exactly where salvation hides.

The intervention

The NAS is entrusted to us as a business emergency. The golden rule applies: we never work inside the original enclosure. Steps:

  • Extraction of the 4 disks and sector-by-sector cloning, behind a write blocker, on a dedicated bench.
  • SHR volume reconstruction (mdadm + LVM stack) outside the enclosure, from the images.
  • Analysis of the Btrfs file system and inventory of the snapshots: eCh0raix had encrypted the visible files but ignored the read-only snapshots predating the attack.
  • Mounting the snapshot dated the day before the intrusion and extracting the healthy state: product sheets, visuals, accounting, customer databases.

Processing was done on an air-gapped network, to rule out any spread during analysis.

The result

In seven days, all 24 TB was restored to its state the day before the attack — a near-zero data loss. The files were returned on a new encrypted array, after VeriFiles list approval. No ransom was paid. The company resumed activity, and we recommended a 3-2-1-1-0 strategy with an offline copy so the next attack is a non-event.

The lesson. Against ransomware, the first asset isn't the decryption key: it's the snapshots. Enabled and preserved, they turn a disaster into a simple rollback. You just have to not destroy them in a panic.
Go further

Understand & act.

The service

NAS recovery

Synology, QNAP, SHR/Btrfs/ZFS, post-ransomware restoration via snapshots. Business emergency, no data – no fee.

See the service →
The Manual — Prevention

The 3-2-1-1-0 rule

The air gap, ransomware rampart: why an offline copy would have avoided this whole ordeal.

Read the chapter →
Related resources
All case studies Manual — Special cases RAID & servers Glossary
NAS encrypted? Don't pay

An attack in progress? Disconnect, call.

Cut the NAS off the network, delete no snapshot, and hand it to us. Often, your data is restorable without a ransom. Free diagnosis within 24h.

Priority handling +32 2 586 31 10
Free diagnosis24h emergency