SoylentNews is people
SoylentNews
New NextCry Ransomware Encrypts Data on NextCloud Linux Servers
A new ransomware has been found in the wild that is currently undetected by antivirus engines on public scanning platforms. Its name is NextCry due to the extension appended to encrypted files and that it targets clients of the NextCloud file sync and share service.
The malware targets Nextcloud instances and for the time being there is no free decryption tool available for victims.
xact64, a Nextcloud user, posted on the BleepingComputer forum some details about the malware in an attempt to find a way to decrypt personal files.
Although his system was backed up, the synchronization process had started to update files on a laptop with their encrypted version on the server. He took action the moment he saw the files renamed but some of them still got processed by NextCry, otherwise known as Next-Cry.
“I realized immediately that my server got hacked and those files got encrypted. The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted)” - xact64
Looking at the malware binary, Michael Gillespie said that the threat seems new and pointed out the NextCry ransomware uses Base64 to encode the file names. The odd part is that an encrypted file's content is also encoded this way, after first being encrypted.
The malware has not been submitted to the ID Ransomware service before but some details are available. BleepingComputer discovered that NextCry is a Python script compiled in a Linux ELF binary using pyInstaller. At the moment of writing, not one antivirus engine on the VirusTotal scanning platform detects it.
[...] Another Nexcloud user named Alex posted on the platform’s support page about being hit by NextCry ransomware. They say that access to their instance had been locked via SSH and ran the latest version of the software, suggesting that some vulnerability was exploited to get in.
In a conversation with BleepingComputer xact64 said that their Nextcloud installation runs on an old Linux computer with NGINX. This detail may provide the answer to how the attacker was able to get access.
“I have my own linux server (an old thin client I gave a second life) with nginx reverse-proxy” - xact64
On October 24, Nextcloud released an urgent alert about a remote code execution vulnerability that impacts the default Nextcloud NGINX configuration.
Tracked as CVE-2019-11043, the flaw is in the PHP-FPM (FastCGI Process Manager) component, included by some hosting providers like Nextcloud in their default setup. A public exploit exists and has been leveraged to compromised servers.
(Score: 4, Interesting) by Mojibake Tengu on Monday November 18 2019, @07:41PM (3 children)
One of the interesting side effects of ransomware is that of victims paying ransom have to buy cryptocurrencies on market, which significantly contributes to fiat liquidity of cryptocurrencies.
For that reason, investigators should look for possible connections between exchanges operators and ransomware operators. Both of them understand crypto well, isn't it?
Especially in cases where victims are couched to a specific market.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 2) by PartTimeZombie on Monday November 18 2019, @07:56PM (2 children)
I would also like to know how ransomware winds up encrypting files, as I run a Nextcloud server on Linux.
Not a huge number of users or data, but still. I would prefer to not have to bugger about with restoring from backup if possible.
I also ran a whois on the domain ctemplar.com which is the email extortion address and of course it comes back with Registrant Contact
Name:WhoisGuard Protected
Organization:WhoisGuard, Inc.
Street:P.O. Box 0823-03411
City:Panama
State:Panama
Country:PA
Phone:+507.8365503
Fax:+51.17057182
Email:email@whoisguard.com
Bloody Panama. What is that country good for?
(Score: 2) by NotSanguine on Monday November 18 2019, @08:37PM
There's a bunch of information you *didn't* include (see below).
Note that the Panama contact details are for *Whoisguard* not ctemplar.com -- which is the whole point of using a service like that. Tens (hundreds?) of thousands of domains use Whoisguard [whoisguard.com].
Whois detail I find interesting (with comments by me):
$ whois ctemplar.com
[Querying whois.verisign-grs.com]
[Redirected to whois.namecheap.com]
[Querying whois.namecheap.com]
[whois.namecheap.com]
Domain name: ctemplar.com
https://ctemplar.com says: CTemplar is the world's only secure email platform that is not connected to or controlled by a government or publicly traded entity.
As such, they're hosting email for these folks and are almost certainly not involved in the ransomware scheme. Given their marketing, they likely aren't going to be very cooperative with John Q. Law either.
Registry Domain ID: 2126748130_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com [namecheap.com]
Updated Date: 2019-04-21T05:33:52.95Z
Creation Date: 2017-05-21T22:09:36.00Z
Note the creation and update date stamps. This is not a new domain, so this email provider has been around for a while
Registrar Registration Expiration Date: 2020-05-21T22:09:36.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Reseller: NAMECHEAP INC
Name Server: gwen.ns.cloudflare.com
Name Server: piotr.ns.cloudflare.com
Cloudflare is a US company and is likely hosting ctemplar.com (but maybe not in the US), but given that all emails will likely be encrypted (and like protonmail, ctemplar likely doesn't have the encryption keys), that's not likely to be fruitful for getting data about the perpetrators, unless they stupidly don't use TOR to access ctemplar.com -- a rookie mistake (think Ross Ulbricht [wikipedia.org] from Silk Road).
DNSSEC: unsigned
[End whois output excerpt]
As such, there really isn't much here that could help identify these guys. Really, the way to do that is to *follow the money*. Presumably (or maybe not), the scammers will convert BTC to some fiat currency -- that's where and how they might be identified.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by NotSanguine on Monday November 18 2019, @08:40PM
Apply updates [soylentnews.org] to your Linux server or download/compile/install the latest versions of PHP/PHP-FPM.
Sorry, I got caught up in the whois bit and forgot to respond to this bit in my last reply.
No, no, you're not thinking; you're just being logical. --Niels Bohr