Cloud ransomware protection

Some thoughts on how Nextcloud could help to protect against ransomware encryption attacks. I know this has been touched before, so I know i) I should make backups (I do), ii) File versioning may help, but only up to the available space (quota).

In my setup, which I think is typical for many users, I run several Windows desktop clients that keep in sync with the server. I consider the sever reasonably well protected against ransomware, but the Windows clients are the weak spot. But automatically syncing ransomware-encrypted files to the server is perhaps stoppable:

Either WebDAV desktop client or server could be set to take a (configurable) pause, generate a notification and/or to ask for user confirmation if a (configurable) amount of MBs or # of files is changed client-side. Or it could ask confirmation if whole directories are re-synced. Alternatively, desktop client or server could be alarmed if file names and date/time stamps are unchanged, but content is different.

Or, another possibility, server could pause and ask for confirmation if the files_versions quotum runs out in a single sync operation. In that way, I will be able to restore all lost files.

Of course this will not eliminate the risk of ransomware encryptions, but it will reduce risks and impact, and that’s worth a lot in my opinion. Do you think something like this is doable?

Thanks! -Teunis

2 Likes

I agree totally with this request.

I had severals clients who get crypted with ransomware while using dropbox and another one google drive.

Dropbox made between 3hours and 1 day before giving back datas to a state before attack.

Google drive was really difficult and cannot be reverted automatically so the user has to go on the website and clic – version – restore etc…

With nextcloud okay you have to make backups but if you could stop the sync before it finish to upload all crypted files it should be great for two reasons :

1- the IT do not have to make a long rescue of files

2 - the user who get advertised by nextcloud saying : it’s look like your data are corrupt. Will quickly stop the machine and won’t block shared datas.

If Nextcloud could have this feature, it will be again another value to say goodbye to onedrive and others.

About the making of the feature it could be easy to start with this :
If a lot of files get renamed with another extension quickly -> pause the sync and warn with a window alerte.

Not a dime worth to spend energy on this. The one and only solution against Ramsomware is App Whitelisting. Period! Every Window has it built-in since WinXP. The main problem is not Windows itself. The problem are a lot of wanna-be Admins and Companies not willing to invest in Security, Privacy and Awareness of employees.

I’m on board with this, not because of the ransomware aspect, but as a general, default failsafe against accidental deletion, DR situations and more. I work with several systems that implement this type of automatic pause for things like mass LDAP changes which could be catastrophic for critical systems - and preventing mass delete/file change unless confirmed could be very helpful.

We started a discussion how such a function could be implemented, if you have a good input, feel free to join:

We have a lot of private users and people who provide a setup where they don’t have full control of a client. Not sure if app whitelisting is possible for every situation (very heterogeneous environments) and if it properly protects against bugs in the operating system.

Even something like a treshold or delta in which an single User may alter, rename or save files per seconds/minutes would run into problems when somebody is trying to update his notebook after some days offline. And what happens to global accounts shared by many users? Anti-Ransomware on fileservers doesn’t work. Same with AV scanners and all that scareware. In fact these protection techniques makes everything more complex and create more support cases than intented. Keep it small and simple.
Again, the workload against ransomware must be done on the desktops. And for many years I preach: Enable App Whitelisting on Windows! Then you even can even get rid of any Snakeoil (AV Scanners).

One +1 point for Nextcloud. When all data is only accessible via Web-Interface it’s already safe.

Would it protect against WannaCry? SMB processes are already running and whitelisted. Though it is nice for people who tend to click on all kind of attachments.

Of course no executable will be started outside Program- und Windows Folders. And Non-Priviledged Users cannot access these folders.

All Ransomware Payload will be downloaded in APPDATA or TEMP folders first. If you click on them nothing will happen except a Dialog that System Policies have prevented the Appstart.

No need for Snakeoil…

Isn’t trashbin retention at least some way around a cryptolocker attack? Depending on how much files/size of data that was replaced by encrypted files, these could be recovered from the trashbin in the web interface?

It wouldn’t help against a cryptolocker directly attacking Nextcloud using some vulnerability, because then an attacker could encrypt/delete everything anyway.

The only real protection is just as always: (Offline) Backups, backups, backups. Nothing really new. App whitelisting on Windows is a good countermeasure too.

On a sidenote, given the fact that Nextcloud is positioned as an alternative to Google Drive, Onedrive, Dropbox etc., I wonder when and if an exploit comes up in one of the releases by certain groups like Shadowbroker etc. If something interesting is stored on such a system, I would expect certain “services” to have something like that too. If it would be released, I am certain that someone will tuck a cryptolocker onto such a vulnerability just like Wannacry etc.

backups are not a protection, backups are your last defensive line.
Think aggressive! Try to fight the threat before it gets on your files.

1 Like

I am not sure if it is right to try active protection against malware inside a cloud app. But maybe it could be a possible solution, if there would be a time machine, which gives the admin control over reverting changes in the cloud storage, made by users.

For example, if an app could select files which meet some criteria, an admin could decide from the list, which files should be restored from the last version.

Selection could be over filemask, timestamp of change, uploading user, etc.

So the admin has a good control over mass synced defect files. Regardless, what causes the defect. I.e. caused by ransomware, stupid users, defect harddisks and maybe script viruses.

This solution would not try to prevent from ransomware, but gives the admin a tool to minimize the damage.

I am sure that, all other tries to prevent the user from syncing, whith heuristic methods could lower user acceptance, which would end in deactivating these functions.

I hope, you understand my english.

Sounds great, but :

Would a notification matter in this world with all cookie pop-ups and so on that a lot of users just click accept to get rid of it?
Yes you (as nextcloud) could then say we warned you, but would it be worth the effort to put energy in protection that users ignore anyway?

I am running nextcloud on a private server just for myself at the moment, but I hope that using it in combination with creating regurlar snapshots (I use ZFS by the way) and keeping them for a year or so, would be enough to protect me against this kind of ransomware. Easy and quick to rollback completely or even per file if needed.
I do make regurlar (encrypted) backups to the cloud as well just in case my house burns down, so should be safe enough I guess :wink:

backups are not a protection, backups are your last defensive line.

Indeed. But if a ransomware hits somebody it is already too late. And this could happen even with the best security measures taken, even though it might be far more difficult for it to go through.

The apps files_version and files_trashbin already help to get around this in some way, as long as the cryptolocker gets no access to the Nextcloud installation directly. Restoration can even be done by every single user on their own, if needed. The only problem is mass restoration, which is not that easy to do as far as I can see.

On Windows, ransomware usually tries to delete everything from the Volume Shadow Service (Windows internal versioning of files), so if it can’t get into the cloud directly to do essentially the same (deleting all previous versions of a file), restoration would be possible.

If ransomware somehow includes an exploit for Nextcloud that helps it deleting all previous versions, then only offline backups can help.

I am totally new to this, so maybe what I say does not make too much sense ;).

I don’t know how ransomware usually works, but I guess there are two possible vulnerabilities: Infection tough some malicious Nextcloud/web app with limited access just with webserver user and through some malicious system software with in case more permissions to the file system.

In both cases there is theoretically access to the Nextcloud user files, as well as file versions and trashbin, or is access for Nextcloud/a certain user itself somehow limited to trash and versions? At least some user just has access to its own files. But generally webserver user has write access to the whole data and appdata_instanceid folders.

So in any case I would agree, that last resort is an offline backup, at least with a cron script that backups whole data folder, as well as dumps database, to an external drive which will be mounted and unmounted also within the script.

To at least keep trash and versions more save, access to it could be limited further by just allow it by real user input and the static Nextcloud retention script? Actually I don’t know how/if this could be achieved, if not already the case ;).

€: I just read the news about the topic. Infected clients are of course a third vulnerability, but files_version+trash should fully cover this. But would be no big deal to additionally add a verification, if a certain amount/share of all users files are being changed or removed at once/in short time, right? Maybe customizable/disableable, but with a hint about why this verification could make sense for security.

Auto pausing of the server when it detects more activity than a specified threshold might be an interesting feature, but I would never advertise it as ransomware protection. If we look at what Nextcloud is, we can see that it’s a cloud storage and sharing solution, not a backup solution. I fully agree with @jakobssystems in that we should not even attempt to protect against ransomware with Nextcloud, it simply is not the correct tool for that job. If it were a backup system, it might have some validity, although you still need to try to prevent ransomware before you focus on how to recover from ransomware. That’s why app whitelisting is so important.

In my mind, ransomware protection goes in this order:

  1. App whitelisting
  2. Be careful to avoid malicious sites and email attachments
  3. Backup solution as a last resort (real backup solution, not Nextcloud)
  4. Dang, I don’t have a real backup. Can I recover previous versions from Nextcloud?
  5. Antivirus (can’t remember the last time I saw a legitimate threat get caught…)

What would you do with previous versions anyway? That might help if a few files get encrypted and you restore them individually, but you can probably imagine a ransomware attack targets all files, so that would never be practical to restore one at a time.

That is, what I mean. File versions and trashbin recycling are the tools to choose. But if you have many files to restore, it could be helbful to have a bulk operation for that.

If a nextcloud installation is compromized, something different was wrong. That’s an OS admin job to prevent that.

I am not sure, if we talk about the same thing. If a ransomware or other malware affects a nextcloud installation on the machine, i agree with you. But this has nothing to do with nextcloud IMHO. And nextcloud can not prevent anything like this.

Restore the version before ransomware manipulation? Again: I am aming the situation, where a compromized system from a syncing user syncs manipulated files from his infected system to the nextcloud server. From there the defect files will be spreaded to every sync partner.

A bulk operation for an admin to restore selected files to it’s prior version could be a useful tool for that and maybe for other circumstances.

I think we’re on the same page. I’m saying ransomware and Nextcloud don’t have much to do with each other, so we shouldn’t really try to solve ransomware problems with Nextcloud.

I agree that having a bulk restore previous versions operation would come in handy, but I can’t begin to imagine how complicated it might be in order to make it simple to use and work as expected for end users.

Still, Nextcloud is the last place I would look if I needed to restore data from a ransomware attack. No offense to Nextcloud :slight_smile:

If you need to restore from a backup, you should restore from a backup, not from Nextcloud. Nextcloud is not a backup, and they don’t support using it as a backup solution.

But if you have many files to restore, it could be helbful to have a bulk operation for that.

Well, if the encryption module isn’t enabled (what an irony), then the admin can simply copy over the data folder contents from a backup and run occ files:scan and the files would be restored.

If a nextcloud installation is compromized, something different was wrong. That’s an OS admin job to prevent that.

A compromised system has to be nuked. You can never trust it again. Many ransomware tools wait for a looooong time until they get the order from the CnC server to start their dirty job (or some other type of timer). Preventing this from happening is indeed the job of the admin.