NextCry is a new ransomware that targets NextCloud Linux servers
Spotted in the past few hours, it remains invisible to scanning engines for now. It requires 0.025 bitcoins as a ransom, equal to about 150 euros.
A new variant of ransomware, particularly treacherous, has been discovered in the past few days and targets NexCloud Linux servers: it is called NextCry and is able tobgo unnoticed by scanning systems and antivirus engines, and is currently not available for victims no specific tool that can decrypt data for free.
NextCry ransomware, which is technically a Python script compiled into a Linux ELF binary using pyInstaller, makes use of Base64 to encode file names and content of files that have already been encrypted. NextCry uses the AES 256-bit key algorithm. The victims receive a ” READ_FOR_DECRYPT ” note requesting a ransom of 0.025 bitcoins – at the time of writing this is a value of around $160 / € 150 – to unlock the encrypted files.
A user shared his experience on the Bleeping Computer forum in an attempt to find a way to decrypt the files: ” I realized that my server was compromised, and these files were encrypted. The first thing I did was disable the server to limit the damage that had been done (only 50% of the files had been encrypted). I have my linux server with NGINX reverse-proxy “.
The message can provide some clues to understand how attackers were able to access the system: last 24 Oct NextCloud revealed a vulnerability that was exploited to compromise servers with the default NGINX configuration.
NextCloud recommends that administrators update their PHP packages and the NGINX configuration file to the latest version to protect themselves against NextCry attacks.
