Nextcry? Encrypted all files through my instance

Just a warning. It seems there’s a vuln somewhere as my instance of NextCloud got taken over today. My server was locked down already, using SSH keys and NextCloud was up to date.

Something has gone through and encrypted everything and asking for crypto to unlock. Luckily I have everything backed up, so not a huge deal, but just a warning.

The message on the homepage changes to;

“YOU HAVE BEEN HACKED YOUR FILES HAVE BEEN ENCRYPTED USING A STRONG AES-256 ALGORITHM - SEND 0.025 BTC TO THE FOLLOWING WALLET wallet address AND AFTER PAY CONTACT their email TO RECOVER THE KEY NECESSARY TO DECRYPT YOUR FILES”

It seems I’m not the only one too;

Be aware as it seems new.

2 Likes

Please write a email to security@nextcloud.com

cc @rullzer @nickvergessen

1 Like

I have just done this, and included a link to here also.

Cheers for the tip.

edit:

Seems that inbox isn’t monitored and they want me to sign up to an external website to submit a report. An email would be a lot easier for this.

1 Like

Probably a list of installed apps could be helpful.

Mostly standard, but see below;

Seems that inbox isn’t monitored and they want me to sign up to an external website to submit a report. An email would be a lot easier for this.

Oh. I didn’t know that. I would try https://nextcloud.com/contact/.

Will try that also, cheers.

How did they manage to get into your server?

1 Like

Through NextCloud I presume… no other files were touched and my account via SSH wasn’t logged into as far as I can see (still checking).

It seems it’s happened a couple of times the last week or so.

Are you using Nginx with PHP-FPM perhaps? Urgent security issue in NGINX/php-fpm

1 Like

Well sorry to hear, but I don’t think that this happened through Nextcloud.
Reading up on Nextcry, it seems to be a ransomware mostly affecting windows systems.
So it reached your server when someone logged into it via a windows computer that was affected.

No, the contact form is not the correct place. As per the autoreply:

You have sent an email to security@nextcloud.com. This mailbox is not being monitored and mails are being dropped.
If you have discovered a security issue, please get into contact with us at https://hackerone.com/nextcloud.
To learn more about our security policies and processes, please visit https://nextcloud.com/security/.

Kind regards Nextcloud Security Team

I’ll check into this, but I’ll have to boot the server back up, pretty sure I patched this when I heard about it, but it’s worth a check - thanks :slight_smile:

Apologies, but this is not caused from a Windows PC. I have not had one connected to it (only at the beginning a while back, at least 5-6 months, to seed the files). From reading into the other thread it seems to be based on a Python script, meaning that it couldn’t have gone through my Windows PC back then also.

You could be thinking of Wannacry? Which was well known to spread through Windows systems.

And you know this is a nextcloud issue how? Do you have logs that show it was through nextcloud?

So. First of all. This kind of stuff is exactly why you have a backup. Good for you.

We have not heard of this before. However, we are unaware of any exploits in Nextcloud to have remote code execution.
So if you could go trough your access logs to find out what was going on please do.

Someting that comes to mind. Are you by any chance running NGINX with our outdated config and an outdate php-fpm?

2 Likes

Would be very interesting to know how it got in…

To add to this.

Can you send me (in private) your

  • access logs
  • nextcloud version
  • php version
  • webserver and version

Then we can dive into it more.

I’ll grab this for you this weekend, as I’m away from home currently until tomorrow.

Just for info, this has now been posted below with more info also;

It’s possible that @daniel512 is correct - will confirm versions once I’m back.

That article on Bleeping Computer sounds as though the ransomware targets client computers running the sync client, rather than the server itself. However having the server “locked via SSH” (meaning server OS user passwords changed?) would suggest otherwise.

Is the nginx vulnerability being involved just speculative at this point, or does that seem like a likely culprit?

In the interest of attack surface reduction, I’ll share a couple other things I’ve done to harden my system. I run a dummy site that’s returned if the wrong/no SNI is used so random scans are less likely to ever reveal the Nextcloud instance. I also block all connections to it from non-ARIN addresses. That in particular drastically reduced the amount of random access I get. Also, it probably goes without saying, but there is no outside SSH access Or any other sort of remote control to the system. If you must have remote console access, strictly use a VPN.

If the infiltration point really is on the server, those measures will go a long way to help reduce potential exposure.