New NextCry Ransomware Targets Linux Servers
November 18, 2019
NextCloud is “the most popular self-hosted collaboration solution for tens of millions of users at thousands of organizations across the globe” (NextCloud.com). Basically they are an easy to use, popular, file sharing service. Their services are used by many high risk industries such as health care, finance, education and government. At this scale of use NextCry can be the next cyber epidemic.
NextCry is a ransomware, and as the name suggests, it holds computer systems and all their information “ransom.” Using modern encryption such as AES 256, the data can only be recovered if the decryption key is used. A key which only the hackers have. The hackers require a hefty payment in Bitcoin to have the data recovered. If the fee is paid, then the victim may be given a key to decrypt the information. Emphasis on the “may”. There is no guarantee that the hackers will even send the decryption key after receiving the payment!
What if a large financial firm such as Ameritrade lost all of their proprietary information overnight? What if hundreds of thousands of patient medical records were lost by a hospital? The results would be catastrophic and millions of people worldwide would be affected. It is very important to take proper action against this malware.
The specific vulnerability NextCry takes advantage of a remote execution documented as CVE-2019-11043. NextCloud recommends that “administrators upgrade their PHP packages and NGINX configuration file to the latest version to protect against NextCry attacks.” Just like many other cyber-attacks, outdated systems are the ones vulnerable. All organizations that use NextCloud need to check for vulnerability and then take the recommended actions.