Why are all my files now 7z?
Q
My small-business hard drive was hacked, and now all of my stuff has a .7z file extension. Opening any of these files demands a password. Is there a way I can get my files back? Ken Charlton
A
You didn’t say what type of hard drive you’ve got, when this happened or what might have preceded it, but it sounds like you’ve fallen victim to a ransomware attack. Specifically, we think you’ve been hit by Qlocker, or a variant of it. This is malware that attacks network-attached storage (NAS) drives, specifically targetting models from QNAP (www.qnap.com) – turning user files into encrypted archives, password-protected in the 7-Zip (7z) file format.
QNAP’S advice is essentially to stop using the device immediately and to contact the company’s support team, via https://service.qnap.com. It promises that it will attempt to recover files. It also offers a ‘self-service’ tool called Qrescue, but this is very complex and likely to be beyond the abilities of everyday users. You can read more about both options on QNAP’S website, at www.snipca. com/41895. You should also run the QNAP Malware Removal tool, which is a free download from www.snipca. com/41896 – but contact QNAP before doing anything at all.
How successful (or not) the recovery attempts are will depend on numerous factors, including how much the drive has been used since the attack happened, but QNAP offers no guarantees. Nonetheless, at this juncture, it is your least-worst option.
You might justifiably wonder what the worst option is – which would be to engage with the hacker. That’s because the point of ransomware is that the perpetrator is after a ransom. Sometimes, if the ransom is paid, the hacker will send you the password. To be crystal clear, we absolutely do not advocate doing this.
However, if you’re absolutely desperate, then you will find among the remnants of your locked data a file called ‘!!!READ_ Me.txt’. This will tell you to use the anonymising Tor web browser (www.torproject.org) to visit the hacker's payment page, and to enter a key specific to your encrypted files (see screenshot 1 ).
There, you’ll be invited to make a payment in Bitcoin (BTC) 2 . For Qlocker, this is usually 0.02 or 0.03BTC (about £600-£1,000, depending on the wildly fluctuating value of Bitcoin). If you’re lucky, the necessary password will be revealed. Certainly, with Qlocker attacks specifically, this has worked for some people. Equally, there’s no guarantee that your specific culprit will actually honour the deal, so you might just be handing over money for nothing.