Bleeping Computer: It’s dubbed NextCry and is a new cybercrime ransomware that encrypts data on NextCloud Linux servers. It’s currently undetected by antivirus engines on public scanning platforms, and there is no free decryption tool available
It’s dubbed NextCry and is a new cybercrime ransomware found in the wild that is currently undetected by antivirus engines on public scanning platforms. According to Bleeping Computer, the malware has been discovered by xact64, a Nextcloud user, who posted on the Media forum some details about the malicious code in an attempt to find a way to decrypt personal files. It targets NextCloud instances and for the time being there is no free decryption tool available for victims, as the data is encrypted with the AES algorithm with a 256-bit key. Furthermore, at the moment of writing, not one antivirus engine on the VirusTotal scanning platform detects The ransom demanded is BTC 0.025 (about $210) and a bitcoin wallet is provided but no transactions have been recorded until now.
The cyber security experts: The malware exploits a vulnerability in NGINX, update the package immediately
According to cyber security expert, when executed, the cybercrime ransomware will first find the victim’s NextCloud file share and sync data directory by reading the service’s config.php file. NextCry will then delete some folders that could be used to restore files and then encrypts all the files in the data directory. The malware exploit a vulnerability in NGINX Linux reverse proxy, confirmed by Nexcloud. The developers released an urgent alert, explaining that “in the last 24 hours, a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php-fpm configurations. We recommend all system administrators take immediate actions: Upgrade your php packages to the latest version, a new release that fixes the issue is to be released on the 24th of October; Update your nginx config file. We have updated the configuration in our documentation”.