NextCry ransomware attacks NextCloud cloud storage

NextCloud users faced a serious problem. New NextCry ransomware attacks NextCloud cloud storage and destroys saved backups. According to security experts, the malware penetrates systems through a recently discovered vulnerability in the PHP-FPM engine.

As the user under the nickname xact64 said, he noticed a problem during the synchronization of the laptop with cloud storage.

I realized immediately that my server got hacked and those files got encrypted. The first thing I did was to pull down the server to limit the damage that was being done (only 50% of my files got encrypted)”, — xact64 said.

Behind his eyes, the correct files began to change to encrypted copies. The user hastily disconnected, but half of the content was blocked.

Researchers who studied the malware called it NextCry – this extension receives encrypted files. The program is a Python script compiled into an ELF executable file (this format is used on UNIX systems).

Read also: Ransomware attacked two Spanish companies: the local Internet is in panic as during the WannaCry days

Once on the victim’s computer, NextCry finds the synchronization folder with NextCloud storage, deletes the source data folders from the machine and encrypts the cloud copy. As a result, affected files are downloaded instead of the original ones, as in the case of xact64.

Ransomware expert Michael Gillespie said NextCry processes victim files using an AES algorithm.

“Upon completion of encryption, the program also encodes content using the Base64 standard, which is not typical for such malware”, – also noted Michael Gillespie.

For unlocking files, criminals ask for 0.025 BTC. It is noted that the wallet specified by the attackers is still empty.

After examining the messages of affected users, BleepingComputer experts suggested that NextCry exploits NextCloud’s own vulnerability. This is evidenced by the fact that the malware infects protected repositories with the latest version of software.

Further investigation allowed the developers to track the source of the infection to the vulnerability of the PHP-FPM engine, on which some NGINX servers are running. According to reporters, at the end of October, NextCloud representatives warned of an RCE bug that is present in the basic configuration of their product. This solution is built on a vulnerable version of PHP-FPM.

Mitigation

The developers said that the threat affected only a small fraction of the servers. They sent administrators a notification about the need to update the PHP assembly to v.7.3.11/7.2.24, given that at the moment there is no decoder for NextCry, only an upgrade can protect user data.