Linux Ransomware: NextCry encrypts data in cloud storage from Nextcloud

22. November, 2019

New Ransomware campaign in the wild targeting Nextcloud installations

The first thing the Trojan does after execution, is searching for the Nextcloud Fileshare and Sync Data Directory in config.php, Bleeping Computer reported. The files are encrypted and the file extension NEXTCRY is appended. A ransom note asks for 0.025 bitcoins, naming a wallet and an email address.

Unlike most well-known ransomware campaigns, which want to reach a broad mass of victims (and thus ransom), NextCry selects its victims specifically from the users of a certain platform. Once in the system, it encrypts the data in the data directory using an intact AES algorithm with a 256-bit key and deletes files that could help with recovery. There is no decrypter yet.

The previously known infections are only a few days old, larger waves of attack could follow. Nextcloud server admins should immediately secure the systems against the vulnerability CVE-2019-11043, which was discovered a few weeks ago and occurs in PHP applications in conjunction with NINX. It seems to be the gateway for NextCry. Nextcloud had already informed about this vulnerability before the first attacks, perhaps preventing the Trojan from spreading further.

“The difficult thing about this malware is that you are almost powerless as a user because the problem is at hosters, on the server side,” says security specialist Benjamin Paar. He adds “I strongly recommend that all users create a valid, up-to-date offline backup – otherwise, the backed up files may be overwritten with the encrypted ones during automatic synchronization with the cloud.”

Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Indicators of Attack
Gefahren durch vertrauenswürdige Services
Threat Intelligence
SQL Injection
SMTP Smuggling
Cyber-Risiken in der Ferienzeit
Dynamische Cybersicherheit
Harmony Mobile by Check Point
EU Machinery Regulation
Sergejs Harlamovs, Malware-Analyst bei IKARUS

Plugin IdaClu accelerates malware analysis

IdaClu: IKARUS malware analyst Sergejs Harlamovs wins Hex-Rays plugin contest


IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500


Support hotline:
+43 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download