As the user under the nickname xact64 said, he noticed a problem during the synchronization of the laptop with cloud storage.
I realized immediately that my server got hacked and those files got encrypted. The first thing I did was to pull down the server to limit the damage that was being done (only 50% of my files got encrypted)”, — xact64 said.
Behind his eyes, the correct files began to change to encrypted copies. The user hastily disconnected, but half of the content was blocked.
Researchers who studied the malware called it NextCry – this extension receives encrypted files. The program is a Python script compiled into an ELF executable file (this format is used on UNIX systems).
Once on the victim’s computer, NextCry finds the synchronization folder with NextCloud storage, deletes the source data folders from the machine and encrypts the cloud copy. As a result, affected files are downloaded instead of the original ones, as in the case of xact64.
Ransomware expert Michael Gillespie said NextCry processes victim files using an AES algorithm.
“Upon completion of encryption, the program also encodes content using the Base64 standard, which is not typical for such malware”, – also noted Michael Gillespie.
For unlocking files, criminals ask for 0.025 BTC. It is noted that the wallet specified by the attackers is still empty.
After examining the messages of affected users, BleepingComputer experts suggested that NextCry exploits NextCloud’s own vulnerability. This is evidenced by the fact that the malware infects protected repositories with the latest version of software.
Further investigation allowed the developers to track the source of the infection to the vulnerability of the PHP-FPM engine, on which some NGINX servers are running. According to reporters, at the end of October, NextCloud representatives warned of an RCE bug that is present in the basic configuration of their product. This solution is built on a vulnerable version of PHP-FPM.
The developers said that the threat affected only a small fraction of the servers. They sent administrators a notification about the need to update the PHP assembly to v.7.3.11/7.2.24, given that at the moment there is no decoder for NextCry, only an upgrade can protect user data.
About Himalayaview.top Himalayaview.top pop-ups can not launch out of the blue. If you have actually…
About Youdilgad.top Youdilgad.top pop-ups can not expose out of the blue. If you have clicked…
About Alkads.com Alkads.com pop-ups can not launch out of the blue. If you have clicked…
About Bigamirt.xyz Bigamirt.xyz pop-ups can not launch out of nowhere. If you have clicked some…
About Micorban.xyz Micorban.xyz pop-ups can not open out of the blue. If you have actually…
About Msdefender.co.in Msdefender.co.in pop-ups can not expose out of the blue. If you have actually…