{
	"id": "6b434fa3-e448-49d9-a09c-e873b1a6cb35",
	"created_at": "2026-04-06T01:31:50.806455Z",
	"updated_at": "2026-04-10T03:20:32.284095Z",
	"deleted_at": null,
	"sha1_hash": "dc70bcd2b0ce43270e280737bdb56393dcf8f5d5",
	"title": "New NextCry Ransomware Encrypts Data on NextCloud Linux Servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2492599,
	"plain_text": "New NextCry Ransomware Encrypts Data on NextCloud Linux Servers\r\nBy Ionut Ilascu\r\nPublished: 2019-11-15 · Archived: 2026-04-06 00:08:22 UTC\r\nA new ransomware has been found in the wild that is currently undetected by antivirus engines on public scanning\r\nplatforms. Its name is NextCry due to the extension appended to encrypted files and that it targets clients of the\r\nNextCloud file sync and share service.\r\nThe malware targets Nextcloud instances and for the time being there is no free decryption tool available for victims.\r\nZero detection\r\nxact64, a Nextcloud user, posted on the BleepingComputer forum some details about the malware in an attempt to find a\r\nway to decrypt personal files.\r\nhttps://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nAlthough his system was backed up, the synchronization process had started to update files on a laptop with their encrypted\r\nversion on the server. He took action the moment he saw the files renamed but some of them still got processed by NextCry,\r\notherwise known as Next-Cry.\r\n“I realized immediately that my server got hacked and those files got encrypted. The first thing I did was pull the server to\r\nlimit the damage that was being done (only 50% of my files got encrypted)” - xact64\r\nLooking at the malware binary, Michael Gillespie said that the threat seems new and pointed out the NextCry ransomware\r\nuses Base64 to encode the file names. The odd part is that an encrypted file's content is also encoded this way, after first\r\nbeing encrypted.\r\nThe malware has not been submitted to the ID Ransomware service before but some details are available.\r\nBleepingComputer discovered that NextCry is a Python script compiled in a Linux ELF binary using pyInstaller. At the\r\nmoment of writing, not one antivirus engine on the VirusTotal scanning platform detects it.\r\nNexcloud servers targeted\r\nThe ransom note is in a file named “READ_FOR_DECRYPT” stating that the data is encrypted with the AES algorithm\r\nwith a 256-bit key. Gillespie confirmed that AES-256 is used and that the key is encrypted with an RSA-2048 public key\r\nembedded in the malware code.\r\nhttps://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/\r\nPage 3 of 6\n\nIn the analyzed sample the ransom demanded is BTC 0.025, which converts to about $210 at the moment of writing. A\r\nbitcoin wallet is provided but no transactions have been recorded until now.\r\nAfter another BleepingComputer member named shuum successfully extracted the compiled Python script,\r\nBleepingComputer could clearly see that this ransomware specifically targets NextCloud services.\r\nWhen executed, the ransomware will first find the victim's NextCloud file share and sync data directory by reading the\r\nservice's config.php file. It will then delete some folders that could be used to restore files and then encrypts all the files in\r\nthe data directory.\r\nhttps://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/\r\nPage 4 of 6\n\nMore than one case spotted\r\nAnother Nexcloud user named Alex posted on the platform’s support page about being hit by NextCry ransomware. They\r\nsay that access to their instance had been locked via SSH and ran the latest version of the software, suggesting that some\r\nvulnerability was exploited to get in.\r\nIn a conversation with BleepingComputer xact64 said that their Nextcloud installation runs on an old Linux computer with\r\nNGINX. This detail may provide the answer to how the attacker was able to get access.\r\n“I have my own linux server (an old thin client I gave a second life) with nginx reverse-proxy” - xact64\r\nOn October 24, Nextcloud released an urgent alert about a remote code execution vulnerability that impacts the default\r\nNextcloud NGINX configuration.\r\nTracked as CVE-2019-11043, the flaw is in the PHP-FPM (FastCGI Process Manager) component, included by some\r\nhosting providers like Nextcloud in their default setup. A public exploit exists and has been leveraged to compromised\r\nservers.\r\nNextcloud’s recommendation for administrators is to upgrade their PHP packages and NGINX configuration file to the latest\r\nversion.\r\nA representative from Nextcloud told BleepingComputer that they are currently investigating the incidents and will provide\r\nmore information as it becomes available.\r\nUpdate 11/18/19: NextCloud has told BleepingComputer that after conducting an investigation they are confident that the\r\nattacker is exploiting the PHP -FPM vulnerability that they issued an advisory on.\r\nWe've been looking into the reports on the forum and source of the virus. We are confident that the attack vector was the\r\nnginx+php-fpm security issue that hit the web some time ago.\r\nWhile it was not an issue in Nextcloud itself, we informed our users through all channels we had available, including a\r\ndirect notification to Nextcloud servers. This likely explains why so few servers were impacted out of the hundreds of\r\nthousands of Nextcloud servers on the web.\r\nBleepingComputer advises users to upgrade to PHP 7.3.11 or PHP 7.2.24, depending on development branch being used, to\r\nfix this vulnerability.\r\nhttps://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/\r\nhttps://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/"
	],
	"report_names": [
		"new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers"
	],
	"threat_actors": [],
	"ts_created_at": 1775439110,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dc70bcd2b0ce43270e280737bdb56393dcf8f5d5.pdf",
		"text": "https://archive.orkl.eu/dc70bcd2b0ce43270e280737bdb56393dcf8f5d5.txt",
		"img": "https://archive.orkl.eu/dc70bcd2b0ce43270e280737bdb56393dcf8f5d5.jpg"
	}
}