Cannot access the Deleted Files folder after ransomware attack

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face: is for home/non-enterprise users. If you’re running a business, paid support can be accessed via where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:


Or for longer, use three backticks above and below the code snippet:


Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 12.0.2): 13.0.6
Operating system and version (eg, Ubuntu 17.04): Ubuntu 16.04 LTS
Apache or nginx version (eg, Apache 2.4.25):
PHP version (eg, 7.1):
Snap install

The issue you are facing:

I’ve suffered a ransomware attack on a computer that was syncing with the Nextcloud server. All files are now encrypted. When I look into the deleted files area, I get a “This directory is unavailable, please check the logs or contact the administrator” message. If I go into the MySQL database, I see all the files listed in oc_files_trash. Also, in the filesystem I se over 70K files in /var/snap/nextcloud/common/nextcloud/data/admin/files_trashbin/files. How can I see those files again so I can select what to restore?

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. Described above

The output of your Nextcloud log in Admin > Logging:


The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):


The output of your Apache/nginx/system log in /var/log/____:


Hi Spsantos,

The files_trashbin you pointed to in your e-mail may not be the folder in which you need to look… First, it is associated with the admin account. Is it that account that got hit by the ransomware or is it another user ?

Second, this folder is, as its name says, the trash folder; the one for --deleted-- files. The ransomware surely not deleted the files and encrypted them instead. As such Nextcloud will have move the unencrypted version in the directory where it keeps previous versions of the files and not deleted files.

You are probably better to look into

Also, what are you using as storage for your data ? Are they just saved on the local disk or are they saved in an external NAS server ? Here, I am using FreeNAS as a backend and the entire data folder for Nextcloud is located on that NAS. From it, I take regular snapshots, so to revert to a previous snapshot or to clone one and re-access it over another channel is another for me should I need to recover from ransomware. If you have a similar backend, you can look at it.

One thing you can do from the command line in your Nextcloud server is to create a new directory in which you will copy all the suff you would like to review from your Nextcloud interface, something like /var/snap/nextcloud/common/nextcloud/data/yourself/files/ransomware_recovery

Then, copy all the files and folders you want in that directory. For Nextcloud to “find” them and show them to the clients, you need to have it rescan the files using the OCC command (nextcloud.occ files:scan yourself)

Good luck recovering from your incident,


Hi Heracles. Thanks for the prompt response.
The client was away, and we had no access to the server until now.
All the files are the admin’s, that is correct. And are then shared with the users.
As for the versions folder, it’s empty. My thinking was that windows actually deletes and recreates a file when renaming, and I see a very full trash folder, so hope remains.
I will try the ransomware_recovery approach and let you know.

Nothing. Is there a way to access the database so that I can recover these files (the ones in trash)?

Hi again,

It is probably way too late, but in hope it can be useful to others…

What you did as a setup is not recommended at all, exactly for this reason. The files were saved as belonging to the Admin, but were damaged by some other user. Because the file was not that other user’s property, previous version was not saved in that user’s file versioning hidden folder. But because the action was not taken by the admin, the modification did not ended up in his hidden file versioning folder either. As such, the modification ended up not saved.

Your only hope now is from a backup outside of Nextcloud itself. As in my case, I would have to go to one of my FreeNAS snapshot.

When designing an environment, you must define a proper data owner for every data. That data owner is responsible to protect that data. To offer write access to everyone to his only instance of the data is not protecting the data in any way.

Hope that can help other to avoid such incident…