Linux Ransomware: NextCry encrypts data in cloud storage from Nextcloud

22. November, 2019

New Ransomware campaign in the wild targeting Nextcloud installations

The first thing the Trojan does after execution, is searching for the Nextcloud Fileshare and Sync Data Directory in config.php, Bleeping Computer reported. The files are encrypted and the file extension NEXTCRY is appended. A ransom note asks for 0.025 bitcoins, naming a wallet and an email address.

Unlike most well-known ransomware campaigns, which want to reach a broad mass of victims (and thus ransom), NextCry selects its victims specifically from the users of a certain platform. Once in the system, it encrypts the data in the data directory using an intact AES algorithm with a 256-bit key and deletes files that could help with recovery. There is no decrypter yet.

The previously known infections are only a few days old, larger waves of attack could follow. Nextcloud server admins should immediately secure the systems against the vulnerability CVE-2019-11043, which was discovered a few weeks ago and occurs in PHP applications in conjunction with NINX. It seems to be the gateway for NextCry. Nextcloud had already informed about this vulnerability before the first attacks, perhaps preventing the Trojan from spreading further.

“The difficult thing about this malware is that you are almost powerless as a user because the problem is at hosters, on the server side,” says security specialist Benjamin Paar. He adds “I strongly recommend that all users create a valid, up-to-date offline backup – otherwise, the backed up files may be overwritten with the encrypted ones during automatic synchronization with the cloud.”

smart home
DORA
Data recovery after Ransomware DeadBolt
Robot
MANDIANT
Ransomware
identidy theft
child computer
online threats
USB Security
IoT
log4j JNDI Attack
Ransomware
VPN

5+1 tips for a secure VPN

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 (0) 1 58995-0
Sales Hotline:
+43 (0) 1 58995-500

SUPPORT HOTLINE

Support hotline:
+43 (0) 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm

Remote maintenance software:
AnyDesk Download