Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Linux

NextCloud Linux Servers Targetted by NextCry Ransomware (linuxsecurity.com) 28

b-dayyy quotes Linux Security: A new and particularly troublesome ransomware variant has been identified in the wild. Dubbed NextCry, this nasty strain of ransomware encrypts data on NextCloud Linux servers and has managed to evade the detection of public scanning platforms and antivirus engines. To make matters worse, there is currently no free decryption tool available for victims.

Ransomware hunter and creator of ID Ransomware Michael Gillespie notes that the NextCry ransomware, which is a Python script compiled in a Linux ELF binary using pyInstaller, oddly uses Base64 to encode file names as well as the content of files which have already been encrypted. Gillespie has also confirmed that NextCry encrypts data using the AES algorithm with a 256-bit key.

The ransom note that NextCry victims receive reads "READ_FOR_DECRYPT", and demands 0.025 BTC for a victim's files to be unlocked.

This discussion has been archived. No new comments can be posted.

NextCloud Linux Servers Targetted by NextCry Ransomware

Comments Filter:
  • Most people would have no difficulty coming up with that kind of money.

    • I would consider it much better not to support that scum even though I could afford to.
      • I agree, but it's interesting that the ransom has fallen to such a small amount. Are they expecting thousands of victims, or did they just not think their plan through very carefully?

        • It sounds like they're avoiding prosecution. Most law enforcement can't be convinced to take any active role if the cost of crime is below a certain threshold, and money transfers below certain thresholds do not require the mandatory reporting that larger sums require.

        • Maybe it's per file?
      • Re: (Score:3, Insightful)

        I would consider it much better not to support that scum even though I could afford to.

        You're not the victim, so your "considering" is not much help here.

  • Kind of a dupe (Score:4, Informative)

    by WoodstockJeff ( 568111 ) on Sunday November 24, 2019 @04:00PM (#59449546) Homepage

    https://developers.slashdot.or... [slashdot.org]

    > One such case is web hosting provider Nextcloud, who issued a security advisory to its clients on Thursday, October 24, urging customers to update PHP to the latest release, versions 7.3.11 and 7.2.24, which had been released on the same day and included fixes for CVE-2019-11043.

  • by organgtool ( 966989 ) on Sunday November 24, 2019 @04:15PM (#59449570)
    I've been following this story closely since I also use NextCloud. I had a feeling it was related to the recently disclosed PHP vulnerability but it took several days for that to be confirmed. The scariest part about this is that the first person who reported a case of this ransomware had an automatic backup system in place but the automated backup started to sync the encrypted files which overwrote the original files.

    On a related note, does anyone know if ZFS, or if any other filesystem, deduplicates blocks when it stores snapshots? If so, that may be an efficient way to preserve the data on a backup drive. In any event, if you have any services that use PHP (NextCloud/OwnCloud, Wordpress, etc), get them updated ASAP!
    • by zynthaxx ( 725359 ) on Sunday November 24, 2019 @04:36PM (#59449616)
      Sync is not backup - it is sad that someone had to learn that the hard way.
    • by DasArk ( 6294344 )
      ZFS contains deduplication feature that can be enabled on dataset basis. So dedup is done in background, always, since it's enabled, not during taking snapshot. I've been successfully using dedup to save gigabytes of data on systems hosting many identical Solaris containers (zones). But beware, the dedup feature is memory hog, taking gigabytes of RAM - at least on Solaris.
      • Comment removed based on user account deletion
        • About a GB per TB dedicated to dedup. It's not often recommended.

        • 4GB is required to enable all the features of ZFS, though it will run on less. I have one virtual machine running on 384MB, but the only thing I stand to lose there is a couple of custom configuration files in /usr/local/etc and I save a copy elsewhere every time I change it.

      • taking gigabytes of RAM - at least on Solaris.

        Linux and FreeBSD as too.

        For every TB of pool data, you should expect 5 GB of dedup table data, assuming an average block size of 64K.

        This means you should plan for at least 20GB of system RAM per TB of pool data, if you want to keep the dedup table in RAM, plus any extra memory for other metadata, plus an extra GB for the OS.

        https://constantin.glez.de/201... [constantin.glez.de]

        https://constantin.glez.de/201... [constantin.glez.de]

    • I submitted a question about this [slashdot.org] a while back.

      Ask Slashdot: Could We Fight Ransomware With 'Unencryptable' Folders?

      What I'd like to see is backup#1/dismount#1; mount#2/backup#2/dismount#2 ...

      Every now and then I mount my NAS and do a full backup and dismount the drive. I'm retired now and about the only thing of importance is my photography.

    • > does anyone know if ZFS, or if any other filesystem, deduplicates blocks when it stores snapshots? If so, that may be an efficient way to preserve the data on a backup drive.

      ZFS is Copy-On-Write so snapshots cost almost zero disk space.

      If you got hit by this encryptor then you'd say:

      zfs rollback data/nextcloud@daily-20191123

      or whatever your snapshotting is set up for. Then reindex the files, probably.

      Some people snapshot every fifteen minutes.

      BTW Nextcloud works fine on Apache.

    • Yes, ZFS can do inline deduplication. Make sure you have plenty of RAM though. Turning it on is easy:
      # zfs set dedup=on|verify|sha256|sha512 your/dataset
      ZFS also supports inline compression that you can enable in a similar manner.
  • Does this only affect NextCloud? Or is it attacking the OwnCloud fark?

    • by Deaddy ( 1090107 )

      At work we had to look into it and it does not look like anything NextCloud specific is going on there. This is really a remote code execution vulnerability in nginx + php-fpm and not one of NextCloud. Data directories in NextCloud and OwnCloud also still look similar enough.

      However, ownCloud usually runs on apaches and I think the nginx support is dropped for quite a while. I guess the attacker chose nextcloud as a target because it is something that

      • commonly runs on nginx with php-fpm,
      • is run by enthus
  • Well, that's a relief. Even though the NGINX+PHP-FPM has been touted as a high performance alternative, sometimes the old and proven is simply just old and proven.
  • Yet more "Cloud Crap" users get what they deserve.

    • Whatâ(TM)s a better open source, self-hosted DropBox alternative? Serious question â" I need to send large files (~5-120G+) often.
  • fucking truman show

You know you've landed gear-up when it takes full power to taxi.

Working...