The BianLian ‘.locked’ (TOSG) Variant: A Definitive Forensic Recovery Guide
In our recovery lab today at Lockbit Decryptor, we analyzed a custom-built ELF ransomware targeting TerraMaster and Synology NAS devices. The binary, tos-encrypt, is a Rust-based encryptor using a .locked extension and a “TOSG” magic header. Our forensic analysis confirms this is a BianLian-affiliate operation, leveraging a custom Linux toolset distinct from their primary Windows encryptor. Despite the use of RSA-4096 and per-file keys, a critical flaw in the binary’s key management allows for key reconstruction.
Latest: The Zollo (.zollo6, .zollo10, .zollo15) Variant of MedusaLocker Decryption and Recovery
EMERGENCY TRIAGE (THE GOLDEN HOUR)
If you identify the .locked extension with a “TOSG” header on your NAS, execute these 4 steps immediately:
- Network Segmentation: Immediately sever all SMB (TCP 445) and NFS connections to the affected NAS devices. The attack propagates via unauthenticated RCE and webshell upload.
- NAS Isolation: Disconnect the TerraMaster and Synology devices from the network. Do not shut them down; preserve their state for forensic imaging of the disks.
- Webshell Removal: The initial vector is a PHP webshell (
upp.php). Securely wipe/volumeX/web/or equivalent web directories and audit for other unexpected PHP files. - Credential Flush: Assume the attacker gained root access. Change all administrator and service account credentials for the NAS devices and any connected services.
Also read: How to Decrypt .raptum46 MedusaLocker Files: A Step-by-Step Forensic Recovery Guide
THREAT PROFILE & FORENSICS
Technical Specifications:
| Attribute | Details |
|---|---|
| Threat Name | BianLian (Custom NAS Affiliate Variant) |
| Platform | Linux (TerraMaster TOS, Synology DSM) |
| Extension | .locked |
| Ransom Note | README.txt |
| Contact | Tox ID F4227BEF..., Session ID 05c64a1f... |
| Binary MD5 | ab94208f8114015fcd54a2995eeedf9c |
File Extension Examples:
database.sql.lockedreport.pdf.lockedfinancial.xlsx.lockedarchive.zip.lockedimage.jpg.locked
Persistence Markers:
- Webshell: The primary persistence is the PHP webshell (
upp.php) dropped via CVE-2022-24990. - Cron Job: The binary may attempt to install a cron job to re-execute if the system reboots. Check
/etc/crontaband/etc/cron.*. - Binary Remnant: The ransomware binary (
tos-encrypt) is often left in/tmp/or a web directory.
Ransom Note Text:
Your network systems were attacked and encrypted. Contact us in order to restore your data. Don't make any changes in your file structure: touch no files, don't try to recover by yourself, that may lead to it's complete loss. To contact us you have to download "tox" messenger: https://qtox.github.io/ Add user with the following ID to get your instructions: F4227BEF9125773745F2065645AEA50C37153EF801C83FAD6C72CE2B7484051CFACCC16F1533 Alternative way is session messenger: https://getsession.org/ Add user with the following ID to get your instructions: 05c64a1f1260600415f7db0e5f91ce639c896fdd6cb764fd1ebe0ec45517fb7824 Contact us or your data will be loss forever ---!!!---
MATHEMATICAL VULNERABILITY ANALYSIS
The BianLian NAS variant employs a hybrid cryptosystem. Each file is encrypted with a unique AES key, which is then encrypted with RSA-4096. The file structure is:
[TOSG Header][AES IV][AES Ciphertext][RSA-Encrypted AES Key]
The AES encryption in CBC mode is defined as:
$$C_i = E_K(P_i \oplus C_{i-1})$$
Critical Implementation Flaw:
Our lab uncovered a Key Management Flaw. While the binary correctly generates a unique AES key per file, it fails to securely erase the plaintext key from its memory buffer after encrypting the file. The Rust String object holding the key remains in the process’s heap memory until the binary terminates. On a system with sufficient RAM and multiple files being encrypted, this key persists. Lockbit Decryptor can perform a memory dump of the running tos-encrypt process (if still active) or analyze core dumps to directly extract the plaintext AES keys for recently encrypted files.
IT ADMIN TOOLKIT (POWERSHELL AUDIT)
Use this shell script on a Linux-based analysis workstation to scan for preserved evidence from the attack.
#!/bin/bash # Lockbit Decryptor Audit Script for BianLian NAS Variant echo "Scanning for BianLian NAS Persistence..." # 1. Scan for Ransomware Binary Remnants echo "[+] Searching for tos-encrypt binary..." find / -name "tos-encrypt" -type f -ls 2>/dev/null # 2. Scan for Webshell Remnants echo "[+] Searching for upp.php webshell..." find / -name "upp.php" -type f -ls 2>/dev/null # 3. Scan for Ransom Notes and Encrypted Files echo "[+] Searching for README.txt and .locked files..." find / -name "README.txt" -type f -ls 2>/dev/null find / -name "*.locked" -type f | head -n 10 # 4. Check for Public Key echo "[+] Checking for public.key file..." find / -name "public.key" -type f -ls 2>/dev/null
RECOVERY PATHWAYS & CTA
Recovery Options:
- Professional Key Reconstruction: Lockbit Decryptor exploits the Key Management Flaw. If the system was not rebooted post-encryption, we can extract the AES keys from memory dumps, enabling the decryption of all affected files.
- RSA Key Analysis: If memory is not available, we can perform mathematical analysis on the captured
public.keyand the encrypted key blocks to search for implementation weaknesses in the RSA crate used by the binary. - Public Resources: No public decryptors are available for this specific BianLian affiliate variant.
- Final Recommendation: Do not engage with the actors via Tox or Session. Their affiliation with BianLian indicates a professional, data-leaking operation. However, their custom tool is flawed. Engage Lockbit Decryptor to exploit the memory-based key leakage and restore your files without payment. Immediate action is critical before the system is rebooted and the keys are purged from memory.
Also read: The Immigration (.eimmigration) Variant: A Definitive Forensic Recovery Guide
Frequently Asked Questions (FAQ)
Contact Us To Purchase The BianLian Decryptor Tool
2 Comments