MARS ransomware

driesdk · December 16, 2020, 9:26am

Hi,

For the second time in 3 weeks I got confronted with a complete encryption of my nextcloud server by a ransomware named MARS.

I was using the latest stable nextcloud version, a strong, not guessable password and 2-factor auth and ransomware protection was on.
My NAS where the install was on, was only exposed by one port for nextcloud.

All the other directories of the NAS, outside nextcloud are unaffected, it’s only the nextcloud folder that has the ransomware.
None of the ransomwared files got back to my computer and I only used it to synch a few shares, but I thought it was smart to put it here, in case someone else has the same problem it seems nextcloud is targeted.
I scanned the computer for several times (macos) and there doesnt seem to be any file infected, so it looks like this is just happening within nextcloud.

This wasn’t a real problem, so for the second time I just deleted the whole thing, I have back-ups.
A VPN looks like the smart thing to do, but unfortunaltely I’d like to use nextcloud to share with a computer I can’t use a VPN on (company policy)

Steel_PC · December 16, 2020, 9:30am

What brand and model of NAS are you using ? Just for the record.

driesdk · December 16, 2020, 9:36am

Netgear Readynas 312

j-ed · December 16, 2020, 9:37am

Due to the fact that you’re the only one reporting such a problem in this forum until now, I would assume that it isn’t a Nextcloud specific problem, but a NAS, web server, php related problem on your NAS. Can you please provide DETAILED information about your environment, the used software versions, which ports you’ve opened to access your system from the internet, etc., etc.

BTW, have you seen this posting in the QAP forum:

driesdk · December 16, 2020, 10:06am

Yes, I suppose the problem is somewhere else.
I’ll try to figure it out.

I’m running on php 7.4, nextcloud 20.0.3 on top of readynas it’s latest 6.10.3 system (that’s Linux NG-NAS 4.4).
The exposed port was 443.

Thanks