New NextCry Ransomware Encrypts Data on NextCloud Linux Servers

New NextCry Ransomware Encrypts Data on NextCloud Linux Servers

A new ransomware has been found in the wild that is currently undetected by antivirus engines on public scanning platforms. Its name is NextCry due to the extension appended to encrypted files and that it targets clients of the NextCloud file sync and share service.

The malware targets Nextcloud instances and for the time being there is no free decryption tool available for victims.

Zero detection

xact64, a Nextcloud user, posted on the BleepingComputer forum some details about the malware in an attempt to find a way to decrypt personal files.

Although his system was backed up, the synchronization process had started to update files on a laptop with their encrypted version on the server. He took action the moment he saw the files renamed but some of them still got processed by NextCry, otherwise known as Next-Cry.

“I realized immediately that my server got hacked and those files got encrypted. The first thing I did was pull the server to limit the damage that was being done (only 50% of my files got encrypted)” - xact64

Looking at the malware binary, Michael Gillespie said that the threat seems new and pointed out the NextCry ransomware uses Base64 to encode the file names. The odd part is that an encrypted file's content is also encoded this way, after first being encrypted.

The malware has not been submitted to the ID Ransomware service before but some details are available.

BleepingComputer discovered that NextCry is a Python script compiled in a Linux ELF binary using pyIns ..