NextCloud Linux servers using older NGINX and PHP software packages are being targeted by NextCry ransomware.
According to the latest reports, Linux servers that operate decentralized file syncing and sharing services powered by NextCloud software are being targeted by the new ransomware called NextCry. Antivirus engines are not able to detect the ransomware yet. As expected, hackers demanding money in exchange for the encrypted files.
Affected users will see this ransom note:
“YOU HAVE BEEN HACKED YOUR FILES HAVE BEEN ENCRYPTED USING A STRONG AES-256 ALGORITHM – SEND 0.025 BTC TO THE FOLLOWING WALLET [wallet address] AND AFTER PAY CONTACT [the hacker’s email] TO RECOVER THE KEY NECESSARY TO DECRYPT YOUR FILES”
0.025 BTC is around $200 at the moment and according to the analysis of the wallet shows us no one has sent the cybercriminals any money yet.
When it executes on the open-source NextCloud software enables device, malware read the config.php to find the NextCloud file share and sync data directory. Then the ransomware deletes the folders and files to prevent restoring infected files to their previous clean state and finally begins to encrypt the victim’s files.
For NextCloud solution for the issue, you can visit the help page.
Stay tuned for up-to-date Cyber Security News