Re: NAS RAID configuration overwritten by ransomware

[Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>]

On Sun, 30 Jun 2024 11:16:34 -0700
MC <darkhat@gmail.com> wrote:

> Hi everyone,
> 
> Is there a way to force mdadm to assemble a certain set of drives into
> a particular RAID format? A friend of mine had a NAS that was hit with
> ransomware. His setup was a RAID-5, 64kb chunk size, 4x4TB, XFS
> filesystem setup, while during the attack, they overwrote the config
> to be RAID-0/512kb chunk size (it is a Buffalo NAS, running Linux with
> libmd). He pulled the plug while it was in the process of formatting
> the XFS filesytem. Much of the data I have been able to recover, but
> now it would be a lot nicer for me if I could access a raw /dev device
> assembled as RAID-5/64kb chunk (rather than the current RAID-0
> mdadm/mdstat currently shows), instead of using a tool like UFS
> Explorer to assemble it properly for me. Obviously, minimal
> (preferably none) writes to the disk if possible. I was afraid to
> start throwing mdadm assemble and create commands around. Could
> someone please advise on best path forward?
> 
> Thanks in advance,
> Mike
> 

Hello Mike,
there is a --build option for mdadm (run array with no metadata). Perhaps this
is option you are looking for:

#mdadm -Ss (stop all existing)
# mdadm --build /dev/md126 <here your raid5 params comes> --assume-clean

use --assume-clean to avoid reconstruction. so far I know, --readonly is not
supported. You can set /sys/block/md126/ro = 1 manually to prevent writes.

Thanks,
Mariusz