CYBER NEWS

NextCry Ransomware Is Targeting NextCloud Users


There’s a new ransomware called NextCry which is currently targeting NextCloud users. NextCloud is a suite of client-server software for creating and using file hosting services.




When it was first observed in the wild, NextCry wasn’t detected by any of VirusTotal’s antivirus engines. At the time this article is being written, the ransomware is detected by 7 engines, including FireEye, TrendMicro, Bitdefender, DrWeb, and Kaspersky. Several antivirus engines are currently unable to process the uploaded malicious file.

NextCry Ransomware – Technical Overview

According to security researcher Michael Gillespie, the ransomware is a new threat which uses Base64 to encrypt the file names. It is noteworthy that the ransomware also encrypts the content of the encrypted file, after it has been encrypted.

According to BC researchers, NextCry is a Python script compiled in a Linux LF binary with the help of pyInstaller. Its ransom note is located in a file dubbed READ_FOR_DECRYPT. The note says that the user’s files are encrypted with the AES encryption algorithms using a 256-bit key. Michael Gillespie was able to confirm the use of AES-256, and that the key itself is encrypted via RSA-2048 public key, which is embedded in the ransomware code.

Related:
Encrypting your files is like fighting fire with fire. When you use a file encryption service, hackers instead find locked files.
Can Encryption Protect You From Ransomware?

Security researchers were also able to determine that, so far, the NextCry ransomware is only targeting NextCloud services and users. Upon execution, the malware will locate the victim’s NextCloud file share and sync data directory by reading the config.php file. Then, it will delete folders that potentially could be used to restore files. The next step is the encryption of all the files located in the data directory.

In late October, NextCloud released an “Urgent security issue in NGINX/php-fpm”. The security advisory said that a risk emerged around NGINX, documented in CVE-2019-11043.

This exploit allows for remote code execution on some NGINX and php-fpm configurations. A public exploit for CVE-2019-11043 is available in the wild, and apparently it has been leveraged in attacks against vulnerable servers. Administrators should update their PHP packages and NGINX configuration file to avoid exploitation.

NextCloud is currently investigating the security incidents.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...