Ransomware has been a prominent threat to enterprises of all shapes and sizes and individuals alike for almost two decades. According to a report from Cybersecurity Ventures, ransomware damage was expected to exceed over $8 billion in 2018 alone. In recent years, we have witnessed a few of the most lethal ransomware attacks in the form of WannaCry, NotPetya, TeslaCrypt, SimpleLocker, and more. Recently, new ransomware known as NextCry has surfaced affecting the Nextcloud file-sharing software. The ransomware gets its name from the extension that it appends to the names of encrypted files. Nextcloud is one of the most widely used file sharing and collaboration platforms powered by Linux servers.
Recent incidents
A Bleeping Computer forum member named xact64 reported that half of his Nextcloud files were encrypted by NextCry after his Nextcloud server was hit by the ransomware. The user stated that Nextcloud continued to update his files with the encrypted versions. After realizing this, he stopped the server from sending files to his laptop to prevent more data from getting encrypted.
The forum member asked for the help of others to decrypt his files. He also provided some of the encrypted files to Michael Gillespie, a renowned security expert researcher who confirmed that the files were encrypted with the new ransomware using AES-256 and RSA-2048 to encrypt the AES-256 password. The ransomware also uses a Base64 algorithm to encode the file names, making them untraceable.\
[tg_youtube video_id=”AnvmHFnVR6o”]
There was also a ransomware note along with the encrypted files stating:
YOU HAVE BEEN HACKED YOUR FILES HAVE BEEN ENCRYPTED USING A STRONG AES-256 ALGORITHM – SEND 0.025 BTC TO THE FOLLOWING WALLET [wallet cryptographic address] AND AFTER PAY CONTACT [the cybercriminals’ email] TO RECOVER THE KEY NECESSARY TO DECRYPT YOUR FILES
Since this attack was on an individual user’s data, the attackers demanded the relatively low amount of 0.025 in bitcoin, which translates to about $200, depending on bitcoin’s current value. However, an analysis of the hacker’s wallet confirmed that no ransom was sent to the cyberattackers yet.
Soon, another Nextcloud user named Alex posted on the Nextcloud’s platform about being hit by NextCry ransomware. The user stated that the access to their instance has been locked via SSH, which ran the latest version of Nextcloud. The user also reported that all his files were encrypted through the instance. Thankfully, the user had everything backed up.
NextCry: How it works
For starters, NextCry fundamentally works the same way as that of any of the other ransomware attacks. It propagates into the user’s computers by some means and encrypts the files. And for the user or enterprise to decrypt the files, they need to pay a certain ransom to the attackers to get the key for decryption.
According to Bleeping Computer, NextCry is written in Python and is compiled in Linux ELF binary using pyInstaller making Linux machines its primary target.
NextCry propagates and executes on the Nextcloud-enabled computers. The malware reads the Nextcloud’s config.php to find out the data directory. The malware first deletes all the backup files and folders that can restore the infected files. Once this is done, the malware then starts encrypting the victim’s files.
The vulnerability leading to NextCry ransomware attack seems to be known to Nextcloud for a few weeks now. The company rolled out an emergency alert to all its users stating that the Nextcloud users running NGINX servers are vulnerable to remote code execution. The company also listed the necessary steps to follow to stay safe from this vulnerability.
Staying safe
Nextcloud suggested that its users running NGINX servers upgrade their PHP packages to the latest version. The company also listed a few upstream PHP packages with the fix to this vulnerability. It also suggested updating the NGINX config file as this is the core file containing all the address locations and configurational details of the file system and to update the location segment in the config file followed by restarting the webserver.
Currently, there is no available decryption strategy or technique to aid NextCry’s victims. Moreover, since this malware remains undetected by a majority of the antivirus software and tools, it might easily bypass any company’s security checks.
Every individual and organization needs to be very careful when it comes to securing their data. Even a tiny bit of negligence or a misconfiguration can lead to a devastating cyberattack such as ransomware. While security breaches are inevitable, it is always a best practice to have a backup of your important data.
Featured image: Shutterstock
