NextCry is a new ransomware that has started targeting Linux servers that operate decentralized file syncing and sharing services powered by the open-source NextCloud software. The ransomware is currently not being detected by antivirus engines. BleepingComputer forum user xact64 reported that half of his files got encrypted by NextCry after the ransomware infected his NextCloud server. The file-sharing software continued to update the files on his laptop with the encrypted version until he realized what was going on and stopped the server from sending the files to his laptop. After it executes on the NextCloud-enabled computer, the malware reads NextCloud service’s config.php in order to find the NextCloud file share and sync data directory. The ransomware first deletes any folders and files that might be used to restore infected files to their previous clean state and then begins to encrypt the victim’s files.
Submitted by: Arnfried Walbrecht