NextCloud Linux Servers Targetted by NextCry Ransomware (linuxsecurity.com) 28
b-dayyy quotes Linux Security:
A new and particularly troublesome ransomware variant has been identified in the wild. Dubbed NextCry, this nasty strain of ransomware encrypts data on NextCloud Linux servers and has managed to evade the detection of public scanning platforms and antivirus engines. To make matters worse, there is currently no free decryption tool available for victims.
Ransomware hunter and creator of ID Ransomware Michael Gillespie notes that the NextCry ransomware, which is a Python script compiled in a Linux ELF binary using pyInstaller, oddly uses Base64 to encode file names as well as the content of files which have already been encrypted. Gillespie has also confirmed that NextCry encrypts data using the AES algorithm with a 256-bit key.
The ransom note that NextCry victims receive reads "READ_FOR_DECRYPT", and demands 0.025 BTC for a victim's files to be unlocked.
Ransomware hunter and creator of ID Ransomware Michael Gillespie notes that the NextCry ransomware, which is a Python script compiled in a Linux ELF binary using pyInstaller, oddly uses Base64 to encode file names as well as the content of files which have already been encrypted. Gillespie has also confirmed that NextCry encrypts data using the AES algorithm with a 256-bit key.
The ransom note that NextCry victims receive reads "READ_FOR_DECRYPT", and demands 0.025 BTC for a victim's files to be unlocked.
0.025 BTC is $175 (Score:2)
Most people would have no difficulty coming up with that kind of money.
Re: 0.025 BTC is $175 (Score:1)
Re: (Score:2)
I agree, but it's interesting that the ransom has fallen to such a small amount. Are they expecting thousands of victims, or did they just not think their plan through very carefully?
Re: (Score:3)
It sounds like they're avoiding prosecution. Most law enforcement can't be convinced to take any active role if the cost of crime is below a certain threshold, and money transfers below certain thresholds do not require the mandatory reporting that larger sums require.
Re: (Score:2)
Re: (Score:3, Insightful)
I would consider it much better not to support that scum even though I could afford to.
You're not the victim, so your "considering" is not much help here.
Kind of a dupe (Score:4, Informative)
https://developers.slashdot.or... [slashdot.org]
> One such case is web hosting provider Nextcloud, who issued a security advisory to its clients on Thursday, October 24, urging customers to update PHP to the latest release, versions 7.3.11 and 7.2.24, which had been released on the same day and included fixes for CVE-2019-11043.
Yet Another PHP Vulnerability (Score:5, Informative)
On a related note, does anyone know if ZFS, or if any other filesystem, deduplicates blocks when it stores snapshots? If so, that may be an efficient way to preserve the data on a backup drive. In any event, if you have any services that use PHP (NextCloud/OwnCloud, Wordpress, etc), get them updated ASAP!
Re: Yet Another PHP Vulnerability (Score:4, Insightful)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
About a GB per TB dedicated to dedup. It's not often recommended.
Re: (Score:2)
4GB is required to enable all the features of ZFS, though it will run on less. I have one virtual machine running on 384MB, but the only thing I stand to lose there is a couple of custom configuration files in /usr/local/etc and I save a copy elsewhere every time I change it.
Re: (Score:2)
taking gigabytes of RAM - at least on Solaris.
Linux and FreeBSD as too.
For every TB of pool data, you should expect 5 GB of dedup table data, assuming an average block size of 64K.
This means you should plan for at least 20GB of system RAM per TB of pool data, if you want to keep the dedup table in RAM, plus any extra memory for other metadata, plus an extra GB for the OS.
https://constantin.glez.de/201... [constantin.glez.de]
https://constantin.glez.de/201... [constantin.glez.de]
Re: (Score:3)
I submitted a question about this [slashdot.org] a while back.
Ask Slashdot: Could We Fight Ransomware With 'Unencryptable' Folders?
What I'd like to see is backup#1/dismount#1; mount#2/backup#2/dismount#2 ...
Every now and then I mount my NAS and do a full backup and dismount the drive. I'm retired now and about the only thing of importance is my photography.
Re: (Score:2)
Re: (Score:2)
Sounds OK except for the incremental. I did full backups overnight every night with overwrites on the weekends.
Re: (Score:3)
> does anyone know if ZFS, or if any other filesystem, deduplicates blocks when it stores snapshots? If so, that may be an efficient way to preserve the data on a backup drive.
ZFS is Copy-On-Write so snapshots cost almost zero disk space.
If you got hit by this encryptor then you'd say:
zfs rollback data/nextcloud@daily-20191123
or whatever your snapshotting is set up for. Then reindex the files, probably.
Some people snapshot every fifteen minutes.
BTW Nextcloud works fine on Apache.
Re: (Score:1)
# zfs set dedup=on|verify|sha256|sha512 your/dataset
ZFS also supports inline compression that you can enable in a similar manner.
OwnCloud Fork? (Score:2)
Does this only affect NextCloud? Or is it attacking the OwnCloud fark?
Re: (Score:1)
At work we had to look into it and it does not look like anything NextCloud specific is going on there. This is really a remote code execution vulnerability in nginx + php-fpm and not one of NextCloud. Data directories in NextCloud and OwnCloud also still look similar enough.
However, ownCloud usually runs on apaches and I think the nginx support is dropped for quite a while. I guess the attacker chose nextcloud as a target because it is something that
Apache + PHP is unaffected (Score:2)
Cloud Crap (Score:1)
Yet more "Cloud Crap" users get what they deserve.
Re: Cloud Crap (Score:1)
fucking truman show (Score:1)
fucking truman show