SoylentNews is people
SoylentNews
New NextCry Ransomware Encrypts Data on NextCloud Linux Servers
A new ransomware has been found in the wild that is currently undetected by antivirus engines on public scanning platforms. Its name is NextCry due to the extension appended to encrypted files and that it targets clients of the NextCloud file sync and share service.
The malware targets Nextcloud instances and for the time being there is no free decryption tool available for victims.
xact64, a Nextcloud user, posted on the BleepingComputer forum some details about the malware in an attempt to find a way to decrypt personal files.
Although his system was backed up, the synchronization process had started to update files on a laptop with their encrypted version on the server. He took action the moment he saw the files renamed but some of them still got processed by NextCry, otherwise known as Next-Cry.
“I realized immediately that my server got hacked and those files got encrypted. The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted)” - xact64
Looking at the malware binary, Michael Gillespie said that the threat seems new and pointed out the NextCry ransomware uses Base64 to encode the file names. The odd part is that an encrypted file's content is also encoded this way, after first being encrypted.
The malware has not been submitted to the ID Ransomware service before but some details are available. BleepingComputer discovered that NextCry is a Python script compiled in a Linux ELF binary using pyInstaller. At the moment of writing, not one antivirus engine on the VirusTotal scanning platform detects it.
[...] Another Nexcloud user named Alex posted on the platform’s support page about being hit by NextCry ransomware. They say that access to their instance had been locked via SSH and ran the latest version of the software, suggesting that some vulnerability was exploited to get in.
In a conversation with BleepingComputer xact64 said that their Nextcloud installation runs on an old Linux computer with NGINX. This detail may provide the answer to how the attacker was able to get access.
“I have my own linux server (an old thin client I gave a second life) with nginx reverse-proxy” - xact64
On October 24, Nextcloud released an urgent alert about a remote code execution vulnerability that impacts the default Nextcloud NGINX configuration.
Tracked as CVE-2019-11043, the flaw is in the PHP-FPM (FastCGI Process Manager) component, included by some hosting providers like Nextcloud in their default setup. A public exploit exists and has been leveraged to compromised servers.
(Score: 3, Insightful) by ikanreed on Monday November 18 2019, @06:53PM (11 children)
The thing that gets me about ransomware is that an absolutely trivial best IT practice completely obviates its risk. Periodic full backups.
(Score: 3, Insightful) by vux984 on Monday November 18 2019, @09:29PM (8 children)
Myth #1: Periodic full backups are absolutely trivial.
They aren't trivial. They are extremely difficult to manage, especially in the home and SME spaces; Where IT is limited and/or outsourced.
And even more difficult once the data to be backed up exceeds the 1 hour backup-time threshold.
(Score: 0) by Anonymous Coward on Monday November 18 2019, @09:46PM (5 children)
IOW amateurs will fuck it up.
Forgive me if I haven't much pity for people who cheap out on professional services when their business depends on them.
(Score: 0) by Anonymous Coward on Monday November 18 2019, @10:28PM (1 child)
Personal/home installation of Nextcloud is a pretty common use case. In fact, I wouldn't be surprised if that was the vast majority of installations of the community version.
What's more, I'm sure a bakery or a nail salon would go out of business in twelve minutes if their Nextcloud server was down.
But since you don't like it, let's force *everyone* to purchase not only the commercial version, but commercial support too.
In fact, let's send armed thugs to every home that has Nextcloud installed to make sure.
Because AC says so! Please.
(Score: 0) by Anonymous Coward on Tuesday November 19 2019, @01:27AM
So?
Nobody owes them a working system. Vendors provide better support for a fee.
They are free to pay for commercial support for someone to give a shit, or suffer the consequences if they feel they want to take the risk of it all falling apart.
(Score: 2) by vux984 on Tuesday November 19 2019, @12:26AM (2 children)
A few minutes ago it was so easy to get right, that its "absolutely trivial". But now you need trained IT professionals not to get it wrong? Talk about moving the goal posts.
I read of an incident just recently where a bunch of small businesses running Datto backup appliances were all breached over a weekend. The hackers breached the managed service provider reselling them the datto product/service and used that to access and encrypt the customers' servers, formatted the datto appliance backups, AND deleted the datto cloud backups.
Call the managed IT service provider an amateur who shouldn't have been in business if it makes you feel any better but that doesn't help the customers who didn't "cheap out on professional services". They did all they could reasonably do. They hired someone to manage their backups who specialized in IT services, and offered specifically offered backup management for their clients' servers.
Let me guess you're going to move the goal posts again right?
Its not enough to be an professional IT specialist, but now you need to be specialized in doing backups, working within a company that knows and follows all security best practices at all times.
You know... because that's absolutely TRIVIAL.
Or maybe, just maybe, its not trivial, and that's why ransomware is an epidemic right now: because doing backups sufficient to counter them is actually quite DIFFICULT & EXPENSIVE.
(Score: 0) by Anonymous Coward on Tuesday November 19 2019, @01:21AM (1 child)
For the experienced professional, it is indeed trivial.
Care to speculate on the outcome of winging it and performing surgery on your dog, vs taking him to the vet?
(Score: 2) by vux984 on Tuesday November 19 2019, @05:11PM
No, the experienced professionals know it it isn't trivial.
Backups aren't simply about making copies. It's also about verification, its about consistency and reliability. It's about performance. It's about encryption. It's often tied up with compliance (HIPAA etc -- the backups are just as covered as the originals and need to be appropriately controlled.) And lately its also VERY much about security. Anyone who thinks all that is trivial simply doesn't know what they are talking about. Hell, doing JUST the security part right is not trivial.
(Score: 2) by ElizabethGreene on Tuesday November 19 2019, @03:26AM (1 child)
There is a reason I won't work as a backup administrator.
The very best you can do at this job is meets expectations. Beat your RTO? Great, that's your job. Can't restore a file that the user can't remember the name of or where it was? Completely not your fault, and still you've failed.
It's a no-win gig. Saving the day is "meets expectations". :(
(Score: 0) by Anonymous Coward on Tuesday November 19 2019, @06:04AM
Very well put, but such is the situation for pretty much any aspect of system administration.
I had somehow fallen into that field, and it took luck to finally shift over to a development job.
(Score: 2) by HiThere on Tuesday November 19 2019, @12:06AM (1 child)
You're assuming that much of the value of the data isn't in the delta between the past backup and the current state. This isn't always true.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by ikanreed on Tuesday November 19 2019, @02:36PM
It's true, but for individual users' important files, you're often talking about a few small changes to a word document or excel sheet over 24 hours.
If programmers ever lose work, it's their own fault for not committing often enough.