There’s a new ransomware called NextCry which is currently targeting NextCloud users. NextCloud is a suite of client-server software for creating and using file hosting services.
When it was first observed in the wild, NextCry wasn’t detected by any of VirusTotal’s antivirus engines. At the time this article is being written, the ransomware is detected by 7 engines, including FireEye, TrendMicro, Bitdefender, DrWeb, and Kaspersky. Several antivirus engines are currently unable to process the uploaded malicious file.
NextCry Ransomware – Technical Overview
According to security researcher Michael Gillespie, the ransomware is a new threat which uses Base64 to encrypt the file names. It is noteworthy that the ransomware also encrypts the content of the encrypted file, after it has been encrypted.
According to BC researchers, NextCry is a Python script compiled in a Linux LF binary with the help of pyInstaller. Its ransom note is located in a file dubbed READ_FOR_DECRYPT. The note says that the user’s files are encrypted with the AES encryption algorithms using a 256-bit key. Michael Gillespie was able to confirm the use of AES-256, and that the key itself is encrypted via RSA-2048 public key, which is embedded in the ransomware code.
Security researchers were also able to determine that, so far, the NextCry ransomware is only targeting NextCloud services and users. Upon execution, the malware will locate the victim’s NextCloud file share and sync data directory by reading the config.php file. Then, it will delete folders that potentially could be used to restore files. The next step is the encryption of all the files located in the data directory.
In late October, NextCloud released an “Urgent security issue in NGINX/php-fpm”. The security advisory said that a risk emerged around NGINX, documented in CVE-2019-11043.
This exploit allows for remote code execution on some NGINX and php-fpm configurations. A public exploit for CVE-2019-11043 is available in the wild, and apparently it has been leveraged in attacks against vulnerable servers. Administrators should update their PHP packages and NGINX configuration file to avoid exploitation.
NextCloud is currently investigating the security incidents.