A new ransomware has been found targeting Linux servers in the wild that is currently undetected by anti-virus engines on public scanning platforms. Its name is NextCry due to the extension appended to encrypted files and the fact that it targets clients of the Linux-based NextCloud file sync and share service. At this time, there is no free decryption tool available for victims. A Nextcloud user, xact64, posted some details on the BleepingComputer forum about the malware in an attempt to find a way to decrypt personal files. Although xact64’s system was backed up, the synchronization process had started to update files in the backup with an encrypted version. He took action by pulling his server to minimize damage but about 50% of his files were affected. A malware hunter, Michael Gillespie, stated that the threat seems new and pointed out that NextCry uses Base64 to encode the file names. The interesting part is that an encrypted file’s content is encrypted using the AES-256 algorithm, while the AES key is encrypted using the RSA-2048 public key embedded in the malware’s code. The attacker likely controls the private key that is required to decrypt the key for the files. BleepingComputer discovered that NextCry is a python script compiled in a Linux executable and linkable format (ELF). As of the time of this article, not one anti-virus engine on the VirusTotal scanning platform detects. It.
Encrypted and secure backups are going to be the primary defense against ransomware. These limited access backups can be used to replace encrypted files to minimize the downtime of an infected system. Endpoint Detection and Response (EDR) services, such as the Binary Defense Vision EDR platform and Security Operations Center (SOC), are capable of providing 24/7 monitoring services are perfectly poised and ready to watch an organization’s systems and either stop or minimize damage caused by viruses through early detection and defense. Vision EDR supports Linux, macOS and Windows endpoints.
For more information: https://cyware.com/news/new-nextcry-ransomware-goes-undetected-by-antivirus-engines-to-target-nextcloud-linux-servers-cba69ef0