Linux Ransomware: NextCry encrypts data in cloud storage from Nextcloud

22. November, 2019

New Ransomware campaign in the wild targeting Nextcloud installations

The first thing the Trojan does after execution, is searching for the Nextcloud Fileshare and Sync Data Directory in config.php, Bleeping Computer reported. The files are encrypted and the file extension NEXTCRY is appended. A ransom note asks for 0.025 bitcoins, naming a wallet and an email address.

Unlike most well-known ransomware campaigns, which want to reach a broad mass of victims (and thus ransom), NextCry selects its victims specifically from the users of a certain platform. Once in the system, it encrypts the data in the data directory using an intact AES algorithm with a 256-bit key and deletes files that could help with recovery. There is no decrypter yet.

The previously known infections are only a few days old, larger waves of attack could follow. Nextcloud server admins should immediately secure the systems against the vulnerability CVE-2019-11043, which was discovered a few weeks ago and occurs in PHP applications in conjunction with NINX. It seems to be the gateway for NextCry. Nextcloud had already informed about this vulnerability before the first attacks, perhaps preventing the Trojan from spreading further.

“The difficult thing about this malware is that you are almost powerless as a user because the problem is at hosters, on the server side,” says security specialist Benjamin Paar. He adds “I strongly recommend that all users create a valid, up-to-date offline backup – otherwise, the backed up files may be overwritten with the encrypted ones during automatic synchronization with the cloud.”

Smartphone with Android-Icons on the start screen in front of a world map
Image
Online-Shopping  from the comfort of your house
Emotet
artificial-intelligence
iPhone 5
Schematic representation of the IKARUS managed.defense service to illustrate the interaction between companies and products.
Image
IKARUS anti.virus Version 3.1
CSM Screenshot VirusTotal
Fileless
Image
Image
Image
Image

We are lookink forward to hearing from you!

IKARUS Security Software GmbH
Blechturmgasse 11
1050 Vienna

Phone: +43 (0) 1 58995-0
Fax: +43 (0) 1 58995-100
Sales Hotline: +43 (0) 1 58995-500

SUPPORT-HOTLINE

Support-Hotline:
+43 (0) 1 58995-400
support@ikarus.at

Support-times:
Mon- Thu: 8am – 5pm
Fri: 8am – 3pm

Remote maintenance software:
TeamViewer Download
AnyDesk Download