Server or NAS Files Gone? What Foreign Companies in China Should Do in the First Hour
Files disappear from servers and NAS systems more often than most companies plan for. It happens to well-run offices too — accidental deletion, hardware failure, ransomware, or a migration that goes wrong. This guide walks through the right sequence of actions, what to avoid, and how to recover — for foreign companies operating in Greater China and APAC, with or without on-site IT.
Stop writing new data to the affected system immediately. Check the recycle bin, NAS snapshots, and Windows Previous Versions before doing anything else. Do not rebuild RAID, reinstall software on the affected drive, or overwrite your backups. If hardware failure or ransomware is involved, contact IT support before taking any further action.
If you suspect that someone inside or outside the company may have deleted files intentionally, preserve the evidence and consider an external IT audit before making changes to the affected system. The steps you take — or avoid — in the first hour determine whether the data is recoverable.
1What Usually Causes Server or NAS File Loss
Understanding the likely cause determines the right response. Not all file loss incidents are the same, and treating a ransomware event like a simple accidental deletion — or vice versa — can make recovery significantly harder, and in some cases make recovery seem impossible.
Accidental Deletion and File Overwrites
This is the most common cause. A staff member deletes a file or folder, saves over an existing document, or moves files to the wrong location. In environments where the NAS recycle bin is not enabled at the shared-folder level, deleted files are gone immediately. Overwritten files are harder to recover because the data has been actively replaced.
The business impact is immediate: the finance report due tomorrow, the client proposal that took a week to build, the HR records needed for an audit — suddenly inaccessible.
Permission Changes and Sync Issues
Sometimes files are not deleted at all. A change in folder permissions makes them inaccessible to the users who need them. Sync conflicts between a NAS, a cloud service, or Microsoft 365 can also cause files to appear missing when they have simply been moved, renamed, or overwritten by a sync process.
Before treating it as a data loss incident, confirm whether the files have actually been deleted or whether users have simply lost access to them. A permissions issue can often be resolved in minutes by an admin. A genuine deletion requires a recovery process, and confusing the two wastes critical time.
Hardware Failure, RAID Problems, and Power Events
Hard drives fail. NAS systems running RAID configurations can lose redundancy silently. Sometimes one drive has already failed and no one noticed, and when the second fails, data is gone. Power outages and sudden shutdowns can corrupt file systems, making data inaccessible even if drives are physically intact.
RAID failure is particularly dangerous because many companies assume RAID keeps their data safe. It does not. RAID provides resilience against a single drive failure. It is not a backup.
Ransomware, Malware, and Malicious Deletion
Ransomware encrypts files on shared drives and renders them unreadable without a decryption key. Malicious deletion — by an external attacker or, in some cases, a departing employee — can wipe files or folders entirely. In environments where NAS devices are accessible over the network or exposed through misconfigured remote access, these incidents are not rare.
If files are missing and there are signs of unusual activity — encrypted file extensions, ransom notes, unexpected login events, abnormal admin activity, or unusual deletion patterns — treat this as a security event, not just a data loss event. If you think someone is doing something malicious, the safest approach is to preserve logs, avoid changing the system, and involve an external IT audit or investigation partner to review what happened independently.
Backup, Migration, and Offboarding Mistakes
Failed migrations are a common cause of data loss in Greater China and APAC offices. Moving files from an old server to a new NAS, upgrading firmware, or changing storage architecture without proper verification can result in data that appears migrated but is incomplete or corrupted.
Employee offboarding is another risk. A departing employee, particularly one with administrator access, may intentionally or accidentally delete files, revoke permissions, or take data. Without proper offboarding controls and audit logging, this is difficult to detect until the damage is already done.
2What to Do Immediately
The actions taken in the first hour after data loss are often the difference between full recovery and permanent loss. Follow this sequence in order.
Stop Writing New Data to the Affected System
This is the single most important step. Every file written to the same storage system after data loss reduces the chance of recovering what was lost. If a hard drive has failed or files have been deleted, new data can physically overwrite the space where deleted files were stored. Ask all users to stop accessing the NAS or server immediately. If the system is in active use across the office, the clock is running.
Check the Recycle Bin, Snapshots, and Version History
On most NAS systems, a recycle bin feature can be enabled at the shared folder level. If it was active, deleted files may still be there. Check it first. If your Synology or QNAP NAS has snapshots configured, check them next. Snapshots capture the state of a volume at a point in time and allow you to restore a folder or file without professional recovery tools.
On Windows file servers, right-click the affected folder and check Previous Versions. For Microsoft 365 files in SharePoint or OneDrive, version history is available directly within the file or library settings. SharePoint also maintains a two-stage recycle bin: files deleted by users go to the site recycle bin first, and if emptied from there, move to a second-stage recycle bin accessible only to site collection administrators, recoverable for up to 93 days from initial deletion.
Check Backups and System Logs
Check whether a current, clean backup exists. One critical point: backup success is not the same as restore success. A backup job completing without errors does not confirm that the data is actually restorable. This distinction matters, and many organisations only discover it under pressure.
Also check system and access logs to identify when the files were last present, who modified them, and whether any unusual activity occurred. Audit logs only help if they were enabled before the incident. If a client asks who deleted a file but Windows Server audit logging or NAS access logging was not configured beforehand, it is often impossible to prove the exact user after the fact. Logs are not retroactive.
This is why file access auditing should be part of the server or NAS setup before a data loss incident occurs.
Identify the Last Known Good Version
Before attempting any recovery, establish a timeline: when were the files last known to be accessible and intact? This narrows down which backup, snapshot, or version to target, and helps avoid restoring an already-corrupted version of the data.
Isolate Suspicious Devices If Ransomware Is Possible
If files show unusual extensions, garbled content, or if a ransom note has appeared anywhere on the network, isolate the affected devices immediately. Disconnect them from the network. Do not just power them off. Ransomware that is still running will continue encrypting files it can reach across the network. Containing the spread is the priority before recovery.
A manufacturing company arrives Monday morning to find hundreds of files in the shared production folder showing an unfamiliar extension and opening as garbled data. Before anyone investigates, two more users log in and connect to the NAS, extending the encryption to additional folders. The correct first response was to disconnect the NAS from the network the moment the problem was identified. Every minute of continued network access allowed the ransomware to encrypt more data.
Preserve Evidence If Malicious Activity Is Suspected
If the incident may involve a former employee, a current employee, a vendor, or an external attacker, do not rush into cleanup. Preserve logs, user accounts, access records, file timestamps, device status, and backup history. Do not delete accounts, reassign devices, wipe laptops, or overwrite server logs before the situation has been reviewed.
This is where an external IT audit can help. An external audit gives management a more independent view of what happened, which accounts were involved, whether access controls were weak, and whether the organisation needs to involve legal, HR, insurance, or a specialist investigation partner.
Document the Incident
Start a written record immediately: what was lost, when it was discovered, what the last known good state was, and every action taken from that point forward. This documentation serves three purposes: it helps keep the recovery process organised, it supports any insurance claim, and it satisfies audit and compliance requirements that foreign companies operating in Mainland China, Greater China, and APAC may be subject to under local regulations and internal governance standards. HQ may not have visibility into what is happening at a local office in real time. Clear documentation bridges that gap.
3What Not to Do
The following actions are among the most common mistakes made after a data loss event. Each one can reduce recovery chances significantly or make professional recovery impossible.
- Do not keep using the NAS or server if hardware failure is suspected. Continued use risks overwriting recoverable data or causing further physical damage to degraded drives.
- Do not rebuild RAID without professional advice. Rebuilding a RAID array incorrectly, or before a full assessment, can permanently destroy data that would otherwise have been recoverable. This is one of the most common and most damaging mistakes made after a NAS failure.
- Do not install recovery software directly on the affected system. Installing software writes data to the drive. Use a separate machine and work on a verified image of the drive where possible.
- Do not overwrite existing backups. If your backup schedule is running automatically, pause it until you confirm the current state. An automated backup of a corrupted or infected system will overwrite the last clean backup you have.
- Do not ignore ransomware indicators. Unusual file extensions, slowing system performance, or multiple users reporting inaccessible files simultaneously are warning signs. Act on them immediately.
- Do not delete user accounts too quickly if malicious activity is suspected. Disable access if needed, but preserve logs and account records before removing evidence.
- Do not assume cloud sync equals backup. Syncing files to OneDrive or Google Drive does not protect against deletion. If a file is deleted on the NAS, the sync process deletes it from the cloud too.
- Do not rely on a single copy of critical data. One-copy storage — where the NAS is the only location for business-critical files — is not an acceptable risk position.
Why RAID Is Not a Backup
RAID mirrors or distributes data across multiple drives to provide resilience against a single drive failure. It keeps the system running if one drive dies. It does not protect against accidental deletion, ransomware, file corruption, or the simultaneous failure of two drives. If a user deletes a folder on a RAID-5 NAS, that deletion is reflected across all drives instantly. RAID has no memory of what the data looked like five minutes ago. A backup is a separate, independent copy stored on a different device or location. RAID is not that.
Why Cloud Sync Is Not a Backup
Sync tools like OneDrive, Google Drive, and Dropbox keep files accessible across devices. They are not backup systems. A deleted file syncs as deleted. A corrupted file syncs as corrupted. Microsoft 365 version history and the OneDrive recycle bin offer some protection, but they have retention limits and are not a substitute for a structured, tested backup process.
4Recovery Options Compared
The right recovery method depends on what happened, what was in place before the incident, and how quickly the problem was identified.
| Option | Best For | Speed | Risk / Limitations | When to Use |
|---|---|---|---|---|
| Restore from Backup | Most data loss scenarios | Fast to moderate | Only as good as the last verified, tested backup | First option if a recent, clean backup exists |
| Windows Previous Versions | Accidental deletion or overwrite on Windows servers | Fast | Requires VSS to have been enabled before the incident | When files were deleted from a Windows file server recently |
| NAS Snapshots | Accidental deletion, overwrite, or early-stage ransomware | Fast | Only available if snapshots were configured before the incident | When snapshots exist and predate the data loss |
| Microsoft 365 Version History | Overwritten or deleted cloud and Office files | Fast | Retention limits apply; does not cover local NAS data | For files stored in SharePoint or OneDrive |
| Professional Data Recovery | Hardware failure, failed RAID, physically damaged drives | Days to weeks | Cost can be significant; no guaranteed outcome | When drives have failed and no backup is available |
| External IT Audit | Suspicious deletion, unclear user activity, vendor concern, internal risk | Moderate | Requires logs and evidence to have been preserved | When you need to understand who did what and whether controls failed |
| Forensic Investigation | Ransomware, malicious deletion, insider threat, or legal sensitivity | Slow | Requires specialist; chain of custody must be preserved | When the cause is unknown, criminal, or legally sensitive |
"The fastest recovery path is always a clean, tested backup. Everything else is a fallback. If your environment does not have a reliable backup with a verified restore process, options narrow significantly and costs increase accordingly."
Restore from Backup
Identify the last clean backup that predates the loss. Restore to an isolated environment first to verify the data is complete and usable, then move it to production. Do not restore directly over the affected system without confirmation. Check backup logs for the exact timestamp of the last successful job, and remember that a completed backup job is not a confirmed restore until you have actually tested it.
Windows Previous Versions / Shadow Copies
Right-click on the affected folder in Windows Explorer and select Restore previous versions. This uses Volume Shadow Copy Service snapshots created automatically by the operating system. This only works if VSS was enabled and a recent snapshot exists. It is the fastest self-service recovery option for Windows file servers, requiring no specialist tools or external help.
NAS Snapshots — Synology and QNAP
On Synology systems, open DSM and navigate to Snapshot Manager to browse and restore previous states of a shared folder or entire volume. On QNAP systems, use the Snapshot Vault in QTS. If snapshots were scheduled and enabled before the incident, this is the fastest path for NAS-specific recovery. This method is also effective against ransomware if the snapshot predates the encryption event.
Microsoft 365 Version History
For files stored in SharePoint or OneDrive, open the file or folder in the browser, access version history, and restore the required version. If the file has been deleted entirely, check the SharePoint site recycle bin first — accessible to any user with site access. If already emptied, it moves to the second-stage recycle bin, which only site collection administrators can access, for up to 93 days from the original deletion. For companies managing Microsoft 365 in Mainland China, confirm that access to admin portals is available through your network setup before a recovery scenario occurs.
Professional Data Recovery — Hardware Failure
If drives have failed physically or a RAID array has collapsed, professional data recovery is the appropriate path. This involves sending drives to a specialist facility where they are examined in a controlled environment. Do not attempt to rebuild the RAID or run consumer recovery tools on the drives first. Doing so can make professional recovery impossible. The cost is significant, but it is the only viable option when hardware has failed and no backup exists.
External IT Audit — Suspicious Deletion or Insider Risk
If you suspect that files were deleted intentionally, or that someone inside the organisation may have acted maliciously, recovery is only one part of the response. The company also needs to understand what happened. An external IT audit can review access rights, admin accounts, file access logs, Windows Server audit policies, NAS logs, Microsoft 365 audit history, offboarding controls, vendor access, backup status, and evidence preservation. JET IT Services can support the technical IT audit and, where appropriate, coordinate with trusted partners such as TEK-ID or PSU for specialist risk, security, or investigation support.
Forensic Investigation
If there is any indication that data loss resulted from ransomware, an external breach, or deliberate internal action, forensic investigation may be necessary. A forensic specialist will image the drives without modifying them, preserve chain of custody, and identify the cause, scope, and timeline of the incident. This may also be required if the incident could lead to legal proceedings, internal investigations, insurance claims, or regulatory reporting obligations.
5When to Call IT Support
Internal recovery attempts are appropriate in some situations. In others, they make the situation significantly worse. Know when to stop and escalate.
Signs of Hardware Failure
Clicking or grinding sounds from a NAS, drives showing as degraded or missing in the management interface, sudden inaccessibility of a shared volume, or a NAS that will not boot are signs that internal access attempts could cause further physical damage. Stop all writes, disconnect the system from the network, and call a specialist before touching it further.
Signs of Ransomware or Malicious Deletion
Encrypted files with unfamiliar extensions, ransom notes in folders, unexpected changes across large numbers of files, or audit logs showing access from unfamiliar accounts require a different response from a standard deletion. Isolate first, investigate second. Do not attempt to decrypt files using tools found online without professional guidance. Many publicly available decryptors are themselves malware. If malicious activity is suspected, consider an external IT audit before cleaning systems, deleting accounts, or restoring data into production.
Signs of Business or Compliance Risk
If the lost data includes finance records, HR files, legal documents, client contracts, or any data subject to local compliance requirements in Mainland China, Greater China, or APAC, the incident may need to be documented and reported beyond the IT team. Document the incident formally, involve management, and seek IT and legal advice where appropriate. For local offices without a dedicated on-site IT team — which is common across Greater China and APAC — having an external IT support partner reachable immediately makes a measurable difference to the outcome.
When Specialist Partners May Be Needed
JET IT Services can handle the IT response, recovery review, backup audit, system hardening, and technical documentation. In some cases, the issue is not only technical. If there is a concern around fraud, insider activity, vendor misconduct, physical security, or broader risk exposure, JET IT can coordinate with specialist partners including TEK-ID for technical or investigative support and PSU for broader risk, security, corporate intelligence, or investigation-related matters.
Dealing with an active incident? JET IT works directly with foreign companies across Greater China and APAC and can engage immediately in English with your local environment.
Contact JET IT →6How to Prevent Future Loss
For companies operating local offices in Greater China or APAC without a full-time IT team on site, prevention is not about complexity. It is about having the right basics in place and verifying that they actually work.
Test Backups Regularly
A backup that has never been tested is not a backup. It is an assumption. Schedule regular restore tests: pick a sample of files from your backup, restore them to a test location, and confirm they are complete and usable. Do this at least quarterly. Many organisations discover backup failures for the first time during an actual recovery attempt, which is the worst possible moment to find out.
Use 3-2-1 Backup Thinking
Keep 3 copies of your data, on 2 different types of storage, with 1 copy stored off-site or in the cloud. For a Greater China office, this might mean: files on the NAS, a local backup on a separate device, and a cloud or off-site backup. One-copy storage — where the NAS is the only copy of business-critical files — is not an acceptable risk position for any company that depends on those files for operations.
Keep Snapshots and Recycle Bins Enabled
On Synology and QNAP systems, enable the recycle bin for all shared folders and configure scheduled snapshots for active working directories. These two features cost little to set up and are the fastest recovery path for accidental deletion. If they are not enabled before an incident occurs, they provide no protection when you need them.
Review Permissions and Offboarding Controls
Restrict write and delete access to shared folders to users who genuinely need it. When an employee leaves, revoke access on the same day, not the following week. Keep audit logging enabled so access events are recorded. For folders containing finance, HR, legal, production, or management files, consider requiring a two-step process for deletion of large volumes of data. For Greater China offices, timely offboarding also helps reduce local operational, HR, and data access risk.
Enable Windows Server File Audit Logging
For Windows file servers, audit logging should be enabled before an incident happens. Without it, companies may be able to restore a deleted file, but they may not be able to confirm who deleted it. At a minimum, companies should enable the Audit File System policy in Windows Server Group Policy and configure auditing on sensitive shared folders.
Enable via: Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit File System. After enabling the policy, auditing must also be applied to the specific folders that need monitoring — finance, HR, legal, production, or management folders should record successful delete, modify, and access events. Best practice: set it up in advance on critical folders, test that events are being recorded, and define who reviews logs when a file loss incident occurs.
Build a Local Recovery Runbook
Document the recovery steps specific to your environment: where backups are stored, how to access NAS snapshots, who to call if hardware fails, and what the escalation path is. In a Greater China or APAC office where the local team may not have deep IT expertise, a clear runbook in plain language reduces the risk of wrong actions taken under pressure. HQ should have a copy too. Local offices often lack real-time visibility from the head office side, and a shared runbook ensures that the right decisions can be made from either end.
Prevention Checklist
Use this before an incident occurs. If you cannot check every item, prioritise the top third — backup, snapshots, and offboarding controls.
- Backup schedule is active and verified within the last 30 days
- At least one backup copy is stored off-site or separate from the NAS
- Backup restore has been tested successfully within the last quarter
- NAS recycle bin is enabled on all shared folders
- NAS snapshots are configured and scheduled
- Windows VSS / Previous Versions is enabled on file servers
- Microsoft 365 version history retention settings have been reviewed
- Folder permissions are limited to users who need write or delete access
- Windows Server Audit File System policy is enabled for sensitive shared folders
- NAS or file server access logs are enabled and reviewed when incidents occur
- Admin access and vendor accounts are reviewed regularly
- External IT audit is considered when malicious activity is suspected
- Offboarding procedure includes same-day access revocation
- A written recovery runbook exists and is accessible to the local team
- IT support contact for out-of-hours incidents is documented and known to the local team
Frequently Asked Questions
Possibly, but the chances depend on how much data has been written to the drive since the deletion. If the drive has not been heavily used since the files disappeared, a professional data recovery specialist may be able to retrieve deleted files by scanning the raw storage. The less data written after deletion, the better the prognosis. Enabling the recycle bin before any incident occurs is always the safer approach.
Do not rebuild the RAID without first assessing the full situation. Check how many drives are healthy and how many are degraded or missing. If one drive has failed and RAID redundancy is intact, you may be able to replace the drive and rebuild — but only with guidance from a qualified IT professional. If two or more drives have failed, stop all write activity immediately and contact a data recovery specialist. Attempting a RAID rebuild in this state will almost certainly destroy what remains.
Typically between three and ten business days for a standard case, though complex RAID failures or physically damaged drives can take longer. Recovery is not guaranteed, and cost reflects the level of work required. Some specialist providers offer expedited services at higher cost. The cleaner and more untouched the drives are when they arrive, the better the outcome is likely to be.
Do not take any action on the affected system until you have checked your access logs and confirmed the scope of what is missing. If intentional deletion is confirmed or strongly suspected, preserve the evidence — do not modify or overwrite logs or drives. Engage IT support with forensic experience and involve your legal and HR teams. If the situation suggests malicious activity, vendor misconduct, fraud, or broader internal risk, run an external IT audit before restoring normal operations. In more sensitive cases, JET IT can coordinate with specialist partners including TEK-ID or PSU.
For files stored in SharePoint or OneDrive, version history can be very effective. It retains up to 500 versions of a file and can restore deleted items from the recycle bin for up to 93 days. However, it only applies to files managed within Microsoft 365. It does not cover files stored only on a local NAS, and it is not a substitute for a full backup strategy. It is a useful layer, but not the only one you should rely on.
Have your external IT support partner's contact information documented and accessible to the local team before an incident occurs. Make sure the local team knows exactly what to do in the first 15 minutes — specifically what not to do, such as continuing to use the system, restarting, rebuilding, or deleting potentially important evidence. A short written first-response checklist posted in the office or saved in a shared location prevents the most common mistakes while you wait for IT support to engage.
Only if audit logging was enabled before the deletion happened. On Windows Server, this means enabling the Audit File System policy and applying auditing rules to the relevant shared folders. On NAS systems, access logs must also be enabled in advance. If logging was not active at the time of deletion, IT teams may be able to restore the file, but they usually cannot reliably prove which user deleted it.
Request an external IT audit when the cause is unclear, when a former employee or vendor may be involved, when admin accounts were used, when logs show suspicious access, when sensitive business data is affected, or when management needs an independent view of what happened. The audit should review access rights, logs, backups, offboarding, admin ownership, vendor access, and whether controls were strong enough.
A snapshot captures the state of a volume at a specific point in time and is stored on the same NAS device. It is fast to create and restore from, making it effective for recovering from accidental deletion or ransomware — as long as the NAS itself is still functioning. A backup is a separate copy stored on a different device or location. If the NAS fails completely, snapshots are lost with it. A backup survives the failure of the primary device. Both are useful; neither replaces the other.
Working with JET IT Services on File Recovery and Data Protection
If your organisation has experienced a file loss incident, or if you are not confident that your current backup, NAS, or server setup would survive one, JET IT Services can help. We work with foreign companies operating in Greater China and across APAC to respond to active data loss incidents, review and repair backup configurations, audit NAS and server environments, and build the disaster recovery procedures that local offices need but rarely have in place.
Our team supports international businesses in English and can engage directly with local vendors and IT environments across Greater China. Whether you need immediate assistance with a recovery situation, a structured backup audit, a ransomware readiness review, an external IT audit after suspicious activity, or ongoing managed IT support for your Greater China or APAC operations, we are available to discuss your specific situation.
For cases that require additional specialist support, JET IT can coordinate with trusted partners such as TEK-ID for technical or investigative support and PSU for broader risk, security, corporate intelligence, or investigation-related matters.
Need help recovering lost files?
JET IT supports foreign companies in Greater China and APAC to recover server and NAS data safely, perform IT audits, and implement backup and recovery best practices. Ensure your critical business data is protected and your recovery process is structured and reliable with JET IT Services.