Your NAS Was "Encrypted" —
Or Were You Just Meant to Think So?

You wake up one morning, try to access your NAS, and everything looks wrong. It looks like NAS ransomware. Your files are there. Sort of. But they're unusable. There's a ransom note with instructions: contact us through these steps. You follow them and end up in a chat with the attackers. There's also an .hta file, a file that opens like a local application in your browser, presenting what looks like a professional decryption tool or portal. It feels real. It feels like the kind of thing only someone with serious technical capability would build.

The whole experience is designed to convince you of one thing: your files are encrypted, and the only way to get them back is to pay.

But what if none of it is real?

To be clear: real NAS ransomware absolutely exists. Known ransomware variants like DeadBolt and eCh0raix have caused genuine damage by performing actual encryption. This article is not about those. What we want to show you is that not every attack is what it appears to be, and that the difference matters enormously for your recovery options.

In a recent case we handled, we discovered that what looked like a devastating ransomware attack was actually something much simpler. And much more deceptive. The attackers never encrypted anything. Not a single file. What they did was far more cynical: they deleted the files, replaced them with fake ones, and then built an entire performance to make the victim believe encryption had taken place.

How Fake NAS Ransomware Works

Here's what these attackers actually do, step by step:

• They get in through a misconfiguration. Your NAS is exposed to the internet, maybe through a default setting, a forwarded port, or credentials that were never changed. That's all they need.
• They copy your data to their own servers. Your photos, documents, personal files: all of it gets exfiltrated before anything else happens.
• They delete your original files. Not encrypt. Delete. Wipe. Gone from the directory.
• They drop fake files in the same locations. These fake files make it look like your data is still there but encrypted. It's a prop. A stage set.
• They leave a ransom note and a "decryption tool." The note contains instructions to reach them via chat. An .hta file is left behind that opens what looks like a legitimate decryption portal. In reality, it's just a connection to their own server where your stolen files are stored. The whole setup is designed to create urgency and make the operation look sophisticated.

Here's the thing: there is no decryption key, because there was never any encryption. The .hta "decryption tool" is just a front-end that connects to the attackers' own file server, where your stolen data sits. The "key" you'd be paying for doesn't decrypt anything. It just gives you access to download your own files from their infrastructure. You'd be paying a ransom not for decryption, but for access to data they stole from you.

How to Recognise This Specific Attack

In the case we investigated, the attack left several distinctive markers. If you're seeing any of these, you may be dealing with the same group:

• File extension .eeYai2po appended to all affected files (e.g., photo.jpg.eeYai2po)
• A ransom note containing the text "YOUR FILES ARE ENCRYPTED" with instructions to install uTox (a Tox chat client) and contact the attackers
• A Tox ID in the ransom note for communication via uTox
• Broken English in the ransom note, with phrases like "YOU WILL BRAKE YOUR DATA" and "ONLY WE ARE CAN HELP YOU"
• All affected files are exactly the same size (1MB / 1,048,576 bytes) regardless of the original file type. That's a dead giveaway that these are placeholders, not encrypted data

If your files match this pattern, there's a strong chance no real encryption took place. The attackers behind this campaign use intimidation and theatrics rather than actual cryptography.

Why Victims Believe the Fake Encryption

This approach is cynically clever, because it preys on what people expect ransomware to look like. Most people have heard of ransomware. They know it encrypts your files. They know you need a key. So when they see scrambled files and a payment page, they assume the worst. And they assume there's no way out except paying.

The attackers count on this. They don't need advanced cryptography. They don't need sophisticated malware. They just need you to panic and not look too closely.

The fake files, the ransom note, the chat channel, the .hta "decryption tool": it's all theatre. Designed to make you feel helpless. Designed to make paying seem like the only rational option.

Can You Recover Files After a NAS Ransomware Attack?

Because no encryption took place, the original data may still be recoverable directly from the disk. Here's why.

When a file is "deleted," it's not immediately gone. The disk marks those specific storage blocks as available, but doesn't erase the contents. The original data remains physically present until those exact blocks happen to be reused by new data. On a large disk with plenty of free space, that reuse may not happen for a very long time, or at all. That's why it's so important to stop using the device: every new write to the disk increases the chance that some of your original data gets overwritten.

In the case we investigated, the attackers deleted files and placed fake ones in the same folder locations. But here's where their amateur approach worked in the victim's favour: the fake files were small, and the disk was large. The vast majority of the original data (over 300,000 files, including more than 200,000 photos) was still physically present on the disk, untouched.

We were able to recover almost everything. Files dating back over twenty years. Family photos, personal documents, memories that seemed lost forever. All recoverable, because no actual encryption ever took place.

An important caveat: this case involved traditional hard drives, where deleted data tends to stay on the disk until something overwrites it. Not all NAS devices work this way. If yours uses SSDs, deleted data can be erased automatically in the background, sometimes within minutes. Recovery prospects vary by device, which is why professional assessment matters early: what's inside your NAS directly determines what's possible.

The attackers wanted it to look like there was no way out. In reality, the data was sitting right there on the disk, waiting to be found.

What to Do When Your NAS Is Hacked

If your NAS has been compromised and you're seeing a ransom demand, here's what we recommend:

• Don't pay immediately. What you're seeing may not be what it appears. There's a real chance no encryption happened at all. You can check your files right now with our free tool. It analyses them in your browser to see if they show signs of real encryption or just fakes.
• Check whether you have backups. Do you have an offline or offsite backup? An external USB drive, a cloud backup, anything that wasn't connected during the attack? If so, your recovery path may be much simpler.
• Unplug the network cable. Now. This cuts the attacker's access and stops further data theft. Don't power it off: a running device holds valuable forensic evidence. But don't wait too long either: if professional help is more than a few hours away, a clean shutdown protects the disk from background writes. Network cable first, then phone call.
• Get professional help. A forensic investigation can determine what actually happened: real encryption, or a wipe-and-fake like the case above? This distinction matters enormously for your recovery options.
• Don't assume the worst. Attackers are in the business of making you feel hopeless. That's the whole point. The reality is often less dire than it appears.

Your Data Was Stolen. What Now?

Even if you successfully recover every file from the disk, there's an uncomfortable reality to face: the attackers already have a copy of your data on their servers. Your photos, documents, personal files: they were exfiltrated before anything was deleted.

This means you should think carefully about what was on that NAS. Personal financial documents? Identity-related paperwork? Sensitive photos? Consider monitoring for identity theft and changing passwords for any accounts whose credentials may have been stored on the device.

If you stored data belonging to other people (client files, employee records, family members' documents), you may have a responsibility to inform them. For businesses, this can trigger formal data breach notification obligations under GDPR. The 72-hour reporting window begins once you have reasonable certainty that personal data was affected, which makes getting a professional assessment quickly all the more important. Even for individuals, being transparent with the people whose data was affected is the right thing to do.

Should You Report a NAS Ransomware Attack?

Our advice: file a police report if you can. Here's why it matters:

• Insurance. Many policies require a police report before they'll cover damages or recovery costs.
• Intelligence. Every report feeds national and European threat databases — including those used by Europol and the No More Ransom project — that help disrupt larger operations.
• Legal protection. If the stolen data surfaces later, a police report gives you a documented starting point.
• Regulatory compliance. If personal data of others was involved, reporting to the Dutch Data Protection Authority may be legally required.

We'll be honest: when the attack originates from overseas, the chances of your specific case being pursued are limited. If your time and energy are scarce, recovery and securing your setup come first. But if you can spare the 30 minutes, the report is worth having on file. You may need it later in ways you don't expect right now.

How to Prevent NAS Ransomware Attacks

The root cause in cases like these is almost always a security gap in the setup. A NAS that was exposed to the internet when it shouldn't have been. Default credentials that were never changed. Remote access that was enabled without adequate protection.

Once you've recovered your data, take the time to properly secure the device. Disable unnecessary remote access. Change all credentials. Keep the firmware updated. And if you're not sure whether your setup is secure, ask someone who knows.

Most importantly: set up proper backups. Follow the 3-2-1 rule: three copies of your data, on two different types of media (for example, your NAS plus an external USB drive kept unplugged), with one copy stored offsite or offline. A NAS is a storage device, not a backup. If your only copy of important data lives on a single device connected to the internet, you're one misconfiguration away from losing everything. A good backup strategy is the single best protection against both real and fake ransomware.

The Takeaway

Not everything that looks like ransomware is ransomware. Attackers invest in making their attacks look more sophisticated than they are, because panic is their most effective tool. The ransom note, the chat, the .hta "decryption tool": it's marketing. Designed to make you pay before you think.

If you find yourself in this situation, take a breath. Get the facts before you make a decision. There may be more options than the attacker wants you to believe.