Data recovery from a NAS
NAS won't boot, crashed volume, disks in error, files encrypted by ransomware. A NAS isn't just a box of disks: it's a proprietary RAID (SHR, X-RAID) on a Btrfs or ZFS file system. We rebuild it outside the enclosure — and know how to exploit its snapshots after an attack.
Does your NAS show one of these signs?
No more network access, abnormal LEDs, repeated beeping. Often the disks are healthy: it's the enclosure (power, DSM) that fails.
95% if disks intactThe NAS reports a "crashed" or "degraded" volume: one or more member disks have dropped out of the SHR / RAID.
95% with 1 disk downeCh0raix, Qlocker, DeadBolt: changed extensions, ransom note. Earlier snapshots are often intact.
92% via Btrfs/ZFS snapshotsVolume recreated, share deleted, bad update: the underlying data often remains recoverable.
85%+ on logical failureWhat the laboratory actually does.
Reconstruction outside the enclosure
We extract the disks from the NAS and clone them sector by sector. All analysis then happens on the copies, on a dedicated bench — never in the original NAS, which could rewrite the volume on boot.
Decoding SHR, X-RAID, classic RAID
Synology's SHR and Netgear's X-RAID stack LVM and mdadm in a specific way. We reconstruct the full stack (members, order, stripe, parity) to remount the logical volume, whether SHR, SHR-2, RAID 1/5/6/10.
Btrfs & ZFS — repair & snapshots
Recent NAS use Btrfs (Synology) or ZFS (QNAP, TrueNAS). We repair corrupt metadata trees and, crucially, can mount and explore snapshots: these point-in-time copies let us roll back to an earlier state — including before an attack.
Post-ransomware restoration
Many ransomware strains encrypt visible files but ignore read-only snapshots. We analyze the Btrfs/ZFS snapshots predating the attack and restore the state before encryption — often without paying any ransom. Processing on an air-gapped network.
Repair of failed disks
If a member disk has a physical failure (heads, PCB, firmware), it first goes through the ISO 5 cleanroom for cloning, before the volume is rebuilt. Final return on a new encrypted device.
NAS success rates across 120,000+ cases.
Averages observed since 2004. The ransomware share has risen sharply since 2022.
All brands, all systems.
SHR, SHR-2, X-RAID, RAID 0/1/5/6/10 volumes. Btrfs, ZFS, EXT4, XFS file systems. Ransomware handled: eCh0raix, Qlocker, DeadBolt, Checkmate and variants.
What you must never do to a failing NAS
- Recreate or repair the volume from the interface — this can permanently overwrite data and snapshots.
- Reset the NAS — the RAID/SHR configuration and snapshots can be lost.
- Delete snapshots after a ransomware attack — they hold the healthy state.
- Leave the NAS connected to the internet after an attack — encryption can spread or continue.
- Swap the disk order around — order is part of the volume definition.
The golden rule: after an attack, disconnect the NAS from the network and power, touch nothing, and send it to the lab. No ransom guarantees a return.
Specialist answers on NAS.
My Synology NAS won't boot — is the data lost?+
My NAS was encrypted by ransomware — recoverable?+
What is SHR and can you rebuild it?+
Should I send the whole NAS or just the disks?+
How much does NAS recovery cost?+
Understand NAS & snapshots.
This page describes the service. For the methodology and a real ransomware case, two resources complement this device.
Step-by-step NAS methodology
SHR reconstruction, Btrfs/ZFS repair, snapshot exploitation, post-ransomware restoration: the full approach.
Read the Guide chapter →24 TB after ransomware
eCh0raix attack on a DS920+, 2 disks in error, restoration via day-before snapshots. No ransom paid.
See the case studies →NAS down or encrypted?
Disconnect it from the network, delete no snapshot, don't recreate the volume. Free diagnosis within 24h — often, your data is recoverable without paying.