Security experts spotted new ransomware dubbed NextCry that targets the clients of the
The name comes from the extensions the ransomware appends to the filenames of encrypted files. The malicious code targets Nextcloud instances and it is currently undetected by antivirus engines.
“xact64, a Nextcloud user, posted on the
The user explained that even if his system was backed up, the synchronization process had started to update files on a laptop with the encrypted version on the server.
“I realized immediately that my server got hacked and those files got encrypted.” said xact64. “The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted)”
The user has provided the case SHA1 to
The ransomware demands a ransom of BTC 0.025 (roughly $210 at the time of writing). The analysis of the balance for the
Below the ransom note dropped by the ransomware after the files have been encrypted.
“YOU HAVE BEEN HACKED YOUR FILES HAVE BEEN ENCRYPTED USING A STRONG AES-256 ALGORITHM – SEND 0.025 BTC TO THE FOLLOWING WALLET wallet address AND AFTER PAY CONTACT their email TO RECOVER THE KEY NECESSARY TO DECRYPT YOUR FILES”
The analysis of the compiled script extracted by another member of the
Once executed, the NextCry ransomware reads the
Four days ago, another user that goes online with the handle ‘
“Just a warning. It seems there’s a
The description shared by Alex suggests that attackers have exploited some vulnerabilities in the server.
“In the last 24 hours, a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and
“Unfortunately the default
(SecurityAffairs – NextCry ransomware, malware)