Pierluigi Paganini November 18, 2019

NextCry is a new ransomware that was spotted by researchers while encrypting data on Linux servers in the wild.

Security experts spotted new ransomware dubbed NextCry that targets the clients of the NextCloud file sync and share service.

The name comes from the extensions the ransomware appends to the filenames of encrypted files. The malicious code targets Nextcloud instances and it is currently undetected by antivirus engines.

“xact64, a Nextcloud user, posted on the BleepingComputer forum some details about the malware in an attempt to find a way to decrypt personal files.” reads the post published by BleepingComputer that reported the news.

The user explained that even if his system was backed up, the synchronization process had started to update files on a laptop with the encrypted version on the server.

“I realized immediately that my server got hacked and those files got encrypted.” said xact64. “The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted)”

The user has provided the case SHA1 to BleepingComputer and the popular malware researcher Michael Gillespie analyzed it confirming that the threat is new and uses Base64 to encode the file names. Gillespie added that the ransomware uses the AES‌-256 algorithm to encrypt the files and that the key is encrypted with an RSA-2048 public key embedded in the code of the ransomware.

NextCry is a Python script that has been compiled in a Linux ELF binary using the pyInstaller.

The ransomware demands a ransom of BTC 0.025 (roughly $210 at the time of writing). The analysis of the balance for the bitcoin wallet provided by crooks revealed that no one has paid the ransom until now.

Below the ransom note dropped by the ransomware after the files have been encrypted.

“YOU HAVE BEEN HACKED YOUR FILES HAVE BEEN ENCRYPTED USING A STRONG AES-256 ALGORITHM – SEND 0.025 BTC TO THE FOLLOWING WALLET wallet address AND AFTER PAY CONTACT their email TO RECOVER THE KEY NECESSARY TO DECRYPT YOUR FILES”

The analysis of the compiled script extracted by another member of the BleepingComputer forum confirmed that the malicious code was designed to targets NextCloud users.

Once executed, the NextCry ransomware reads the NextCloud service’s config.php file in order to find the NextCloud file share and sync data directory. Then the malware deletes some folders that could be used to restore files and then encrypts all the files in the data directory.

Four days ago, another user that goes online with the handle ‘alexpw‘ published on the platform’s support page a message that describes the way his instance, running the latest version of the software, was infected. According to ‘ialexpw‘, he had been locked via SSH.

“Just a warning. It seems there’s a vuln somewhere as my instance of NextCloud got taken over today. My server was locked down already, using SSH keys and NextCloud was up to date.” wrote the users.

The description shared by Alex suggests that attackers have exploited some vulnerabilities in the server.

On October 24, Nextcloud released an urgent alert for the CVE-2019-11043 RCE in NGINX, experts warn of the availability of a public exploit for the issue.

“In the last 24 hours, a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php–fpm configurations. If you do not run NGINX, this exploit does not effect you.” reads the alert.

“Unfortunately the default Nextcloud NGINX configuration is also vulnerable to this attack.”

Nextcloud admins are recommended to upgrade their PHP packages and NGINX configuration file to the latest version.

Pierluigi Paganini

(SecurityAffairs – NextCry ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]