22.Lock ScreenEffect

A new and particularly troublesome ransomware variant has been identified in the wild. Dubbed NextCry, this nasty strain of ransomware encrypts data on NextCloud Linux servers and has managed to evade the detection of public scanning platforms and antivirus engines. To make matters worse, there is currently no free decryption tool available for victims.

Ransomware hunter and creator of ID Ransomware  Michael Gillespie notes that the NextCry ransomware, which is a Python script compiled in a Linux ELF binary using pyInstaller, oddly uses Base64 to encode file names as well as the content of files which have already been encrypted. Gillespie has also confirmed that NextCry encrypts data using the AES algorithm with a 256-bit key.

The ransom note that NextCry victims receive reads ““READ_FOR_DECRYPT”, and demands 0.025 BTC for a victim’s files to be unlocked.

One NextCloud user, xact64, shared his experience with the malware on a Bleeping Computer forum in an effort to find a way to decrypt personal files which had been instantaneously locked in a NextCry attack: “I realized immediately that my server got hacked and those files got encrypted. “The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted).” He added, “I have my own Linux server (an old thin client I gave a second life) with NGINX reverse-proxy”. 

This statement provides insight into how hackers may have been able to access his system. On October 24, NextCloud disclosed a remote code execution vulnerability (CVE-2019-11043) which has been exploited to compromise servers with the default Nextcloud NGINX configuration.

NextCloud recommends that administrators upgrade their PHP packages and NGINX configuration file to the latest version to protect against NextCry attacks.

How to Protect Your Linux System from Ransomware:

In addition to upgrading to the latest version of PHP and NGINX, here is a list of best practices that administrators and users should implement to protect their Linux systems from NextCry and other emerging ransomware variants:

  • Update your system frequently. Set up automatic updates whenever possible.
  • Track security advisories and apply software patches as soon as they are released.
  • Create backups on a regular basis. This won’t prevent a ransomware attack, but it can reduce the devastation caused by one. Be aware that backups are not foolproof: ransomware may sit idle for weeks until it is triggered, potentially destroying backups.
  • Ransomware often arrives via email, and ransomware emails can be very difficult to identify. Having a well-designed, multi-layered email security gateway in place that detects malicious emails (such as those containing ransomware) and prevents them from reaching the inbox can significantly decrease your risk of suffering a ransomware attack.

Have you or somebody you know experienced a NextCry attack? Please reach out to us and share your story.