NextCry is a new ransomware that has started targeting Linux servers that operate decentralized file syncing and sharing services powered by the open source NextCloud software. The ransomware is currently not being detected by antivirus engines.
BleepingComputer forum user xact64 reported that half of his files got encrypted by NextCry after the ransomware infected his NextCloud server. The file sharing software continued to update the files on his laptop with the encrypted version until he realized what was going on and stopped the server from sending the files to his laptop.
“I realized immediately that my server got hacked and those files got encrypted. The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted)," the forum user said.
The forum member provided some of their encrypted files to Michael Gillespie, a well-known security researcher who confirmed that the files were encrypted with a new ransomware using the AES-256 and RSA-2048 encryption algorithms. The former was used to encrypt the files and the latter to encrypt the AES-256 password.
The ransom note delivered by the malware states:
“YOU HAVE BEEN HACKED YOUR FILES HAVE BEEN ENCRYPTED USING A STRONG AES-256 ALGORITHM – SEND 0.025 BTC TO THE FOLLOWING WALLET [wallet cryptographic address] AND AFTER PAY CONTACT [the cyber criminals’ email] TO RECOVER THE KEY NECESSARY TO DECRYPT YOUR FILES”
The ransomware demands BTC 0.025 (roughly $200, depending on Bitcoin’s current price). An analysis of the wallet that was supposed to receive this ransom money revealed that no one has sent the cyber criminals any money yet.
How NextCry Works
After it executes on the NextCloud-enabled computer, the malware reads NextCloud service’s config.php in order to find the NextCloud file share and sync data directory. The ransomware first deletes any folders and files that might be used to restore infected files to their previous clean state and then begins to encrypt the victim’s files.
Last week, another user reported on NextCloud’s support pages that his instance was taken over via some vulnerability and that he got locked out of his SSH account.
“Just a warning. It seems there’s a vuln somewhere as my instance of NextCloud got taken over today. My server was locked down already, using SSH keys and NextCloud was up to date," the user wrote.
The vulnerability that allowed the ransomware to infect the servers seems to have been known for a few weeks, as on October 24, NextCloud issued an urgent alert saying that NextCloud users that run NGINX servers are vulnerable to a remote code execution security flaw.
“In the last 24 hours, a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php–fpm configurations. If you do not run NGINX, this exploit does not effect you.”
To avoid getting infected, users should update their NGINX and PHP packages, as well as use the latest version of NextCloud.