Some security researchers have discovered a new one ransomware, called NextCry. The purpose of such ransomware is customers of the software NextCloud. NextCloud is designed for creation and use services file hosting.
Xact64, a Nextcloud user affected by NextCry, posted some details about ransomware in an attempt to find a solution to decrypt the personally of files.
Xact64 explained that the synchronization process was updating its files in an encrypted version on wean.
"I realized immediately that my server was hacked and that my files were encrypted," xact64 said. "I tried to limit the damage (only 50% of my files were encrypted)".
Researcher Michael Gillespie used the information shared by xact64 to analyze malware software. Confirm that this is one new ransomware, using Base64 to encode file names. The researcher also said NextCry was using it AES-256 algorithm to encrypt the files.
NextCry is one Python script, written in a Linux ELF binary, via pyInstaller.
The hackers behind NextCry ransomware are demanding 0,025 BTC (about $ 210) from victims to decrypt their files. The researchers looked at the bitcoin wallet provided by them hackers, and found that none of them victims has not given the ransom at this time.
Here's the message the hackers sent after installing NextCry and encrypting the files:
Investigators have confirmed that the malicious code was designed exclusively for attacks on users NextCloud.
After execution, NextCry ransomware reads its config.php file service NextCloud to find the NextCloud file share and sync data directory. After finding it, deletes the folders that can be used to restore the files and encrypts all the files in the directory data.
Four days ago, another user named alexpw also reported that he was affected by ransomware. This user was even running the latest version of NextCloud software.
“A warning. Looks like there's a problem with NextCloud and I haven't access. My server was already locked using SSH keys and NextCloud was up to date, "he wrote.
From this user's comment, it appears that hackers took advantage of some vulnerabilities on the server.
On October 24, Nextcloud had published an emergency warning for the CVE-2019-11043 RCE vulnerability in NGINX.
The warning read: “During the last 24 hours, a new one appeared danger in NGINX, a vulnerability called CVE-2019-11043. This exploit allows the remote code execution in some NGINX and php-fpm configurations. If you do not run NGINX, this exploit will not affect you. "
"Unfortunately, the default configuration of Nextcloud NGINX is also vulnerable to this attack".
Nextcloud administrators are required to update their PHP packages and their NGINX configuration file.