New NextCry ransomware goes undetected by antivirus engines to target Nextcloud Linux servers

• NextCry gets its name from the extension the ransomware uses to append the filenames of encrypted files.
• The malware targets the clients using the Nextcloud file sync and share service.

As ransomware authors continue to evolve, a new malware has emerged in the cyber threat landscape lately. The ransomware, named NextCry, has been found to be active in the wild as it remains undetected by antivirus engines on public scanning platforms.

What does it target?

NextCry gets its name from the extension the ransomware uses to append the filenames of encrypted files. The malware targets the clients using the Nextcloud file sync and share service.

How was it detected?

Details about ransomware was revealed after a Nextcloud user who goes by the online name of ‘xact64’ took to the Bleeping Computer forum to discuss a way to decrypt encrypted files.

The user noted even if his system was backed up, the synchronization process had started to update files a laptop with the encrypted version on the server.

Later, the user found that some of the files were renamed to NextCry, otherwise known as Next-Cry.

“I realized immediately that my server got hacked and those files got encrypted. The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted),” explained xact64, Bleeping Computer reported.

What is new?

Bleeping Computer discovered that NextCry is a Python Script compiled in a Linux ELF binary using pyInstaller.

The ransomware uses the Base64 algorithm to encode the filenames. The interesting aspect of the ransomware is that it uses the AES-256 algorithm to encrypt the files and that the key is encrypted with an RSA-20148 public key embedded in the code of the ransomware.

When executed, the ransomware first searches the victim’s Nextcloud file share and sync data directory by reading the service’s config.php file. Later, it deletes some folder that could be used to restore files and then encrypts all the files in the data directory.

How much ransom does it demand?

The ransomware demands a ransom of BTC 0.025 (roughly $210) to decrypt the files encrypted.

The ransom demand is dropped in the form of a note which says,

“YOU HAVE BEEN HACKED YOUR FILES HAVE BEEN ENCRYPTED USING A STRONG AES-256 ALGORITHM – SEND 0.025 BTC TO THE FOLLOWING WALLET wallet address AND AFTER PAY CONTACT their email TO RECOVER THE KEY NECESSARY TO DECRYPT YOUR FILES”

Worth noting

Although the propagation method of the malware is unknown, another user who goes online with the handle ‘alexpw’ explains that the attackers exploited some vulnerabilities in the Nextcloud server to spread NextCry.

Lately, on October 24, Nextcloud had released an urgent alert for the CVE-2019-11043 RCE in NGINX. It is believed that exploit for the issue is available to the public.

Nextcloud admins have been recommended to upgrade their PHP packages and NGINX configuration file to the latest version.