NextCry Ransomware Targets NextCloud Linux Servers and Remains Undetected

    Date18 Nov 2019
    CategoryFeatures
    7104
    Posted ByBrittany Day
    LS Hmepg 337x500 22

    A new and particularly troublesome ransomware variant has been identified in the wild. Dubbed NextCry, this nasty strain of ransomware encrypts data on NextCloud Linux servers and has managed to evade the detection of public scanning platforms and antivirus engines. To make matters worse, there is currently no free decryption tool available for victims.

    Ransomware hunter and creator of ID Ransomware  Michael Gillespie notes that the NextCry ransomware, which is a Python script compiled in a Linux ELF binary using pyInstaller, oddly uses Base64 to encode file names as well as the content of files which have already been encrypted. Gillespie has also confirmed that NextCry encrypts data using the AES algorithm with a 256-bit key.

    The ransom note that NextCry victims receive reads ““READ_FOR_DECRYPT”, and demands 0.025 BTC for a victim’s files to be unlocked.

    One NextCloud user, xact64, shared his experience with the malware on a Bleeping Computer forum in an effort to find a way to decrypt personal files which had been instantaneously locked in a NextCry attack: “I realized immediately that my server got hacked and those files got encrypted. “The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted).” He added, “I have my own Linux server (an old thin client I gave a second life) with NGINX reverse-proxy”. 

    This statement provides insight into how hackers may have been able to access his system. On October 24, NextCloud disclosed a remote code execution vulnerability (CVE-2019-11043) which has been exploited to compromise servers with the default Nextcloud NGINX configuration.

    NextCloud recommends that administrators upgrade their PHP packages and NGINX configuration file to the latest version to protect against NextCry attacks.

    How to Protect Your Linux System from Ransomware:

    In addition to upgrading to the latest version of PHP and NGINX, here is a list of best practices that administrators and users should implement to protect their Linux systems from NextCry and other emerging ransomware variants:

    • Update your system frequently. Set up automatic updates whenever possible.
    • Track security advisories and apply software patches as soon as they are released.
    • Create backups on a regular basis. This won’t prevent a ransomware attack, but it can reduce the devastation caused by one. Be aware that backups are not foolproof: ransomware may sit idle for weeks until it is triggered, potentially destroying backups.
    • Ransomware often arrives via email, and ransomware emails can be very difficult to identify. Having a well-designed, multi-layered email security gateway in place that detects malicious emails (such as those containing ransomware) and prevents them from reaching the inbox can significantly decrease your risk of suffering a ransomware attack.

    Have you or somebody you know experienced a NextCry attack? Please reach out to us and share your story.

     

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"67","type":"x","order":"1","pct":57.76,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":12.93,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"34","type":"x","order":"3","pct":29.31,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.