Tuesday, October 20, 08:24
Home security The new NextCry Ransomware targets Nextcloud users on Linux servers

The new NextCry Ransomware targets Nextcloud users on Linux servers

NextCrySome security researchers have discovered a new one ransomware, called NextCry. The purpose of such ransomware is customers of the software NextCloud. NextCloud is designed for creation and use services file hosting.

Ransomware gets its name from the extensions it adds to the encrypted archives. Currently, the malicious code of NextCry cannot be detected by the programs protection from viruses.

Xact64, a Nextcloud user affected by NextCry, posted some details about ransomware in an attempt to find a solution to decrypt the personally of files.

Xact64 explained that the synchronization process was updating its files in an encrypted version on wean.

"I realized immediately that my server was hacked and that my files were encrypted," xact64 said. "I tried to limit the damage (only 50% of my files were encrypted)".

Researcher Michael Gillespie used the information shared by xact64 to analyze malware software. Confirm that this is one new ransomware, using Base64 to encode file names. The researcher also said NextCry was using it AES-256 algorithm to encrypt the files.

NextCry is one Python script, written in a Linux ELF binary, via pyInstaller.

The hackers behind NextCry ransomware are demanding 0,025 BTC (about $ 210) from victims to decrypt their files. The researchers looked at the bitcoin wallet provided by them hackers, and found that none of them victims has not given the ransom at this time.

Here's the message the hackers sent after installing NextCry and encrypting the files:

Investigators have confirmed that the malicious code was designed exclusively for attacks on users NextCloud.

After execution, NextCry ransomware reads its config.php file service NextCloud to find the NextCloud file share and sync data directory. After finding it, deletes the folders that can be used to restore the files and encrypts all the files in the directory data.

Four days ago, another user named alexpw also reported that he was affected by ransomware. This user was even running the latest version of NextCloud software.

“A warning. Looks like there's a problem with NextCloud and I haven't access. My server was already locked using SSH keys and NextCloud was up to date, "he wrote.

From this user's comment, it appears that hackers took advantage of some vulnerabilities on the server.

On October 24, Nextcloud had published an emergency warning for the CVE-2019-11043 RCE vulnerability in NGINX.

The warning read: “During the last 24 hours, a new one appeared danger in NGINX, a vulnerability called CVE-2019-11043. This exploit allows the remote code execution in some NGINX and php-fpm configurations. If you do not run NGINX, this exploit will not affect you. "

"Unfortunately, the default configuration of Nextcloud NGINX is also vulnerable to this attack".

Nextcloud administrators are required to update their PHP packages and their NGINX configuration file.


Please enter your comment!
Please enter your name here

Absent Mia
Absent Miahttps://www.secnews.gr
Being your self, in a world that constantly tries to change you, is your greatest achievement


Ransomware attack "cost" $ 300.000 in Mississippi schools!

A Mississippi school district voted to pay $ 300.000 to recover files encrypted during an ransomware attack. A...

Russian hackers were planning attacks at the Tokyo Olympics!

The UK government said yesterday that Russian hackers were preparing cyber-attacks against the organizers of the Olympic and Paralympic Games ...

Windows 10: Microsoft has released a new task manager for gamers

If your computer games are slow or slow, you can free up resources in Windows 10 using the new task manager ...

NASA's Osiris-Rex is expected to land on the asteroid Bennu tomorrow

NASA's Osiris-Rex spacecraft will land on a large asteroid for a while on Tuesday and will collect some rocks and ...

How to turn off all vibrations on your iPhone completely

Some people are particularly sensitive to the vibrations of their iPhone, either for personal or medical reasons. Thanks to...

How to convert Keynote presentations to Microsoft PowerPoint

Apple presentation software does all the hard work when converting a PowerPoint presentation to Keynote. Doing the opposite, ...

QAnon Conspiracy Theories: YouTube removes them from the platform

YouTube is the latest social networking site to launch a campaign against the spread of QAnon conspiracy theories.

Vizom: New malware hijacks bank accounts

Vizom disguises itself as a popular "videoconferencing software", with meetings all online due to the pandemic. Investigators...

The Windows 10 Calculator has been ported to Linux

The Windows 10 Calculator has been ported to Linux and can be installed from the Canonical Snap Store. The ...

System breach exposes Kleenheat customer data

Australian-based gas company Kleenheat has warned some of its customers of data breaches, which may ...