Linux Ransomware: NextCry encrypts data in cloud storage from Nextcloud

22. November, 2019

New Ransomware campaign in the wild targeting Nextcloud installations

The first thing the Trojan does after execution, is searching for the Nextcloud Fileshare and Sync Data Directory in config.php, Bleeping Computer reported. The files are encrypted and the file extension NEXTCRY is appended. A ransom note asks for 0.025 bitcoins, naming a wallet and an email address.

Unlike most well-known ransomware campaigns, which want to reach a broad mass of victims (and thus ransom), NextCry selects its victims specifically from the users of a certain platform. Once in the system, it encrypts the data in the data directory using an intact AES algorithm with a 256-bit key and deletes files that could help with recovery. There is no decrypter yet.

The previously known infections are only a few days old, larger waves of attack could follow. Nextcloud server admins should immediately secure the systems against the vulnerability CVE-2019-11043, which was discovered a few weeks ago and occurs in PHP applications in conjunction with NINX. It seems to be the gateway for NextCry. Nextcloud had already informed about this vulnerability before the first attacks, perhaps preventing the Trojan from spreading further.

“The difficult thing about this malware is that you are almost powerless as a user because the problem is at hosters, on the server side,” says security specialist Benjamin Paar. He adds “I strongly recommend that all users create a valid, up-to-date offline backup – otherwise, the backed up files may be overwritten with the encrypted ones during automatic synchronization with the cloud.”

Red Teams, Blue Teams, Purple Teaming

Living Off the Land attacks

MSSP of the Year 2024

SIEM

What is a SIEM?

Nozomi Guardian Air
HarfangLab Guard
MITRE ATT&CK Framework
v.l.n.r.: Joe Pichlmayr (CEO IKARUS) – Anouck Teiller (CSO HarfangLab) –Alexander van der Bellen (Bundespräsident Österreich) - Frédéric Joureau (Erster Botschaftsrat der französischen Botschaft in Wien) – Christian Fritz (COO IKARUS)
EDR
Cyber Kill Chain
Business Email Compromise
Prognosen für die zehn größten Cybersecurity-Bedrohungen für 2030
E-Mail Verschlüsselung
Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Bedrohung

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500
sales@ikarus.at

SUPPORT HOTLINE

Support hotline:
+43 1 58995-400
support@ikarus.at

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download