Home Malware Programs Ransomware NextCry Ransomware

NextCry Ransomware

Posted: November 18, 2019

Targeted ransomware attacks are challenging to plan and execute, but they can cause devastating damage when done correctly. The latest example of such an attack involves the NextCry Ransomware, a newly discovered ransomware family that targets NextCloud customers exclusively. NextCloud is a file-sharing and collaboration platform that is often used as a workspace by companies, freelancers and regular users. Unfortunately, the platform has been targeted by cybercriminals who use the newly developed NextCry Ransomware to encrypt the data of vulnerable customers and then extort them for money by leaving a non-encrypted ransomware message in their account.

NextCloud Customers Targeted by Threatening File-Encryption Trojan

Cybersecurity experts report that the NextCry Ransomware was developed to target this particular platform and that the majority of its code is written in the Python programming language. The corrupted file has then been transformed into a 'Linux ELF Binary, ' which means that it only works on UNIX-based operating systems. Once the ransomware is launched, it will peek into NextCloud's default configuration file to see the storage and synchronization settings of the victim – it will then proceed to encrypt the contents of files and trigger the synchronization process. The latter step ensures that the reserve copy of the files also will be encrypted, therefore making it more likely that the victim will opt to pay the ransom sum.

It is important to mention that the NextCry Ransomware is in no way associated with the infamous WannaCryptor Ransomware (WanaCrypt0r Ransomware) – it is named like this because of the '.nextcry' extension it adds to the names of the files it encrypts. Instead of preserving the original filename, the NextCry Ransomware will encode them using the base64 scheme. The ransom note informs victims that their accounts have been hacked, and all files were encrypted via the 'strong AES-256 algorithm.' It then advises them to send 0.025 Bitcoin to the wallet address seen in the message, and contact aksdkja0sdp@ctemplar.com for additional instructions.

The NGINX Vulnerability might be Linked to the NextCry Ransomware Outbreak

The service commented on the issue by stating that the attack might be executed with the help of the recently discovered CVE-2019-11043 Remote Code Execution for NGINX Web Server software suite. They added that some of NextCloud's default NGINX configurations might be vulnerable to CVE-2019-11043, and this might be how the NextCry Ransomware gets installed.

Although the NextCry Ransomware was discovered just a few days ago, researchers report that it is unlikely that we will see a free decryption option. The encryption routine is secure and configured properly, ensuring that the attackers are the sole owners of the information needed to complete the data decryption process. Despite this, it is not advisable to pay the 0.025 Bitcoin that the attackers demand – even if you fulfill their request, they may still not provide you with a decryption service.

Loading...