New Ransomware campaign in the wild targeting Nextcloud installations

The first thing the Trojan does after execution, is searching for the Nextcloud Fileshare and Sync Data Directory in config.php, Bleeping Computer reported. The files are encrypted and the file extension NEXTCRY is appended. A ransom note asks for 0.025 bitcoins, naming a wallet and an email address.

Unlike most well-known ransomware campaigns, which want to reach a broad mass of victims (and thus ransom), NextCry selects its victims specifically from the users of a certain platform. Once in the system, it encrypts the data in the data directory using an intact AES algorithm with a 256-bit key and deletes files that could help with recovery. There is no decrypter yet.

The previously known infections are only a few days old, larger waves of attack could follow. Nextcloud server admins should immediately secure the systems against the vulnerability CVE-2019-11043, which was discovered a few weeks ago and occurs in PHP applications in conjunction with NINX. It seems to be the gateway for NextCry. Nextcloud had already informed about this vulnerability before the first attacks, perhaps preventing the Trojan from spreading further.

“The difficult thing about this malware is that you are almost powerless as a user because the problem is at hosters, on the server side,” says security specialist Benjamin Paar. He adds “I strongly recommend that all users create a valid, up-to-date offline backup – otherwise, the backed up files may be overwritten with the encrypted ones during automatic synchronization with the cloud.”