A new ransomware has been found targeting Linux servers in the wild that is currently undetected by anti-virus engines on public scanning platforms. Its name is NextCry due to the extension appended to encrypted files and the fact that it targets clients of the Linux-based NextCloud file sync and share service. At this time, there is no free decryption tool available for victims. A Nextcloud user, xact64, posted some details on the BleepingComputer forum about the malware in an attempt to find a way to decrypt personal files. Although xact64’s system was backed up, the synchronization process had started to update files in the backup with an encrypted version. He took action by pulling his server to minimize damage but about 50% of his files were affected. A malware hunter, Michael Gillespie, stated that the threat seems new and pointed out that NextCry uses Base64 to encode the file names. The interesting part is that an encrypted file’s content is encrypted using the AES-256 algorithm, while the AES key is encrypted using the RSA-2048 public key embedded in the malware’s code. The attacker likely controls the private key that is required to decrypt the key for the files. BleepingComputer discovered that NextCry is a python script compiled in a Linux executable and linkable format (ELF). As of the time of this article, not one anti-virus engine on the VirusTotal scanning platform detects. It.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in