How a Bilibili Creator’s NAS Was Crippled by Buran Ransomware – Key Security Lessons

Incident Overview

A popular Bilibili creator’s video‑production NAS was compromised on its first day of use. The attacker deployed the Buran ransomware, which targets Windows systems, encrypting hundreds of gigabytes of video assets and leaving a ransom note.

Ransom Note

!!!ALL YOUR FILES ARE ENCRYPTED!!! !!!你所有的文件都被加密了!!!

The note demands a unique decryption key, warns against renaming files or using third‑party tools, and provides an ID for contacting the attackers via specific email addresses.

Technical Analysis of Buran Ransomware

No Parameters

The malware copies itself to a designated directory, creates an auto‑start entry, and restarts with the -start flag. If the restart fails, it repeats the same actions.

Parameter -start

It generates a user RSA public key and a custom MachineID, writes both to the Windows registry, deletes existing backups, scans for encryptable disks, records each disk in the registry, launches a ransomware process for each disk using the -agent<IndexInReg> flag, and drops a ransom‑info file on the desktop.

Parameter -agent

For the disk identified by the registry index, the malware encrypts files using the RC4 stream cipher (the first 32 bytes of the encrypted file constitute the key, the remainder is ciphertext). It then creates a final ransom file with contact instructions and offers to decrypt one file for free as proof of capability.

Security Recommendations

Conduct regular security audits, apply patches promptly, and enforce strong passwords.

Implement strict access controls and multi‑factor authentication for NAS devices.

Maintain frequent, offline backups of critical data.

Deploy reputable security software to detect and block malware.

Secure the physical environment against fire, theft, water damage, and power interruptions.

Other Notable Ransomware Incidents

Ransomware attacks affect organizations of all sizes. The U.S. pharmaceutical company ExecuPharm suffered a CL0P ransomware breach that exposed personal data, and TSMC experienced a 2018 ransomware incident that halted production lines, costing billions due to an unpatched Windows 7 machine.