New NextCry Ransomware targets Nextcloud instances on Linux servers

NextCry is a new ransomware that was spotted by researchers while encrypting data on Linux servers in the wild.

Security experts spotted new ransomware dubbed NextCry that targets the clients of the NextCloud file sync and share service.

The name comes from the extensions the ransomware appends to the filenames of encrypted files. The malicious code targets Nextcloud instances and it is currently undetected by antivirus engines.

“xact64, a Nextcloud user, posted on the BleepingComputer forum some details about the malware in an attempt to find a way to decrypt personal files.” reads the post published by BleepingComputer that reported the news.

The user explained that even if his system was backed up, the synchronization process had started to update files on a laptop with the encrypted version on the server.

“I realized immediately that my server got hacked and those files got encrypted.” said xact64. “The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted)”

The user has provided the case SHA1 to BleepingComputer and the popular malware researcher Michael Gillespie analyzed it confirming that the threat is new and uses Base64 to encode the file names. Gillespie added that the ransomware uses the AES‌-256 algorithm to encrypt the files and that the key is encrypted with an RSA-2048 public key embedded in the code of the ransomware.

NextCry is a Python script that has been compiled in a Linux ELF binary using the pyInstaller.

The ransomware demands a ransom of BTC 0.025 (roughly $210 at the time of writing). The analysis of the balance for the bitcoin wallet provided by crooks revealed that no one has paid the ransom until now.

Below the ransom note dropped by the ransomware after the files have been encrypted.


The analysis of the compiled script extracted by another member of the BleepingComputer forum confirmed that the malicious code was designed to targets NextCloud users.

Once executed, the NextCry ransomware reads the NextCloud service’s config.php file in order to find the NextCloud file share and sync data directory. Then the malware deletes some folders that could be used to restore files and then encrypts all the files in the data directory.

Four days ago, another user that goes online with the handle ‘alexpw’ published on the platform’s support page a message that describes the way his instance, running the latest version of the software, was infected. According to ‘ialexpw’, he had been locked via SSH.

“Just a warning. It seems there’s a vuln somewhere as my instance of NextCloud got taken over today. My server was locked down already, using SSH keys and NextCloud was up to date.” wrote the users.

The description shared by Alex suggests that attackers have exploited some vulnerabilities in the server.

On October 24, Nextcloud released an urgent alert for the CVE-2019-11043 RCE in NGINX, experts warn of the availability of a public exploitfor the issue.

“In the last 24 hours, a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php-fpm configurations. If you do not run NGINX, this exploit does not effect you.” reads the alert.

“Unfortunately the default Nextcloud NGINX configuration is also vulnerable to this attack.”

Nextcloud admins are recommended to upgrade their PHP packages and NGINX configuration file to the latest version.
Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase