Nextcloud presents Ransomware Protection app

Originally published at: https://nextcloud.com/blog/nextcloud-presents-ransomware-protection-app/

[caption id=“attachment_2830” align=“alignright” width=“300”] Admin configuration[/caption]

As we blogged before, ransomwares cost consumers and businesses huge amounts of money. For 2016, the total cost is estimated to be $1 billion globally but WannaCry and its successor Petya do more than hitting headlines. One company, Reckitt Benckiser, known for Dettol cleaning products, Nurofen tablets, Durex condoms and more, warned investors it could lose $120 million in lost revenue due to the Petya attack. Danish transport and energy firm Maersk and FedEx’s delivery subsidiary TNT Express were both hit so hard they were still recovering earlier this month.

It is difficult to deal with Ransomware and while frequent backups are helpful, Nextcloud has decided to get involved in helping combat the damages of an attack. We’re proud to present you the Ransomware Protection app!

[caption id=“attachment_2826” align=“alignright” width=“550”] Notification of potential ransomware[/caption]

Developing some protection

In the aftermath of the recent attacks, users have been asking: do public or private cloud solutions provide protection against Ransomware? To some degree, they do - these services often provide access to older versions of files and are backed up. But none really do much in pro-active terms to help. With the massive costs our users and customers see themselves confronted with, one Nextcloud developer has put together an app which helps protect users against Ransomware.

Ransomware comes in many varieties. In most cases, it encrypts user data, creating new files with a different last name and removing the older files. It also puts in place a file which contains instructions on how to get the files ‘unlocked’ again.

The Ransomware Protection app makes use of this characteristic. It detects common file names used by ransomware and responds by blocking further uploads and warning the user and administrator, who can then take action. As the sync client is constantly syncing, this should leave very little window between the last legitimate modification of user data and the malicious activity. However, if something made it through, users can still rely on the ability to restore older versions of files on the server.
[caption id=“attachment_2827” align=“alignright” width=“300”] protection temporary disabled.[/caption]

Features and limitations

The protection offered is not complete. Some ransomware uses random filenames and very generic terms for the instruction files, thus offering little opportunity for detection and prevention. New ransomware also shows up regularly. However, an estimated 95% of the current ransomware can be caught and partially or fully stopped in its tracks and we will maintain the app, possibly adding more protection mechanisms. But, for more thorough protection, we still strongly suggest users to follow the instructions from the FBI and other cyber security organizations. Those include installing special anti-ransomware apps or using virus scanners which feature ransomware protection!

The app offers some configuration for the system administrator. New file extensions, file name patterns and instruction file names can be added or removed in response to new threats or to minimize disruption and false positives. Enterprise monitoring applications can catch the notifications in the logs while administrators also get notified in their administrator account when a user decides to ask for help.

Nextcloud users can download the Ransomware Protection app for free on our app store. The source can be found in our Github and if you want to give feedback or contribute to improving the protection it offers, we’d appreciate it!
[gallery columns=“4” ids=“2831,2830,2829,2828,2827”]

3 Likes

After reading you post, I got impression, that this app have few shortcomings:

  • If ransom-ware will run on the client system, which synchronizes with NextCloud, then the app can detect the fraudulent activity, but it can’t show UI prompt (because user doesn’t have browser open at the moment). It can only send email. Right?
  • The protection is enabled only on the application level. So, if ransom-ware will run on storage level (for example it will compromise Ubuntu on which I installed NextCloud) - the app can do nothing. Right?

Right. However it’s far less likely to get to the server since so much ransomware is a) windows based and b) requiring user interaction

I haven’t installed it yet, though I’d hope there’s a mechanism to track/submit custom extensions being added - crowdsourcing could be very useful… while maintaining privacy and such

1 Like

Does this app work already without any patterns entered by me? Or is the protection first active with some patterns that I have to enter and the security totally depends on my patterns?
Where can I find some information what patterns I should enter?

yes, but things like .mp3 and .css are blacklisted by default

Could you more explain cauze i didn’t might follow you gyus ?

.mp3, seriously? :smiley:

Very nice app :smiley:

A better versioning interface would be great:

  • allow to set the version of a folder before a specific date
  • if you see all versions of a file, provide an option to download each of these versions (or all as a zip file)
  • show specific date (perhaps on a timeline for restoring), 2 days or 3 days is not very specific if you want to restore the version of last Friday

https://github.com/nextcloud/ransomware_protection/blob/master/resources/extensions.txt :stuck_out_tongue_winking_eye:

This effectively prevents sharing an MP3 file! :see_no_evil:

1 Like

Well, it was resolved but the last PR on Github/release. Now portable apps and mp3 can be uploaded again without tweaking.

I have solved this issue the first day with adding the extension(s) to the exceptions. :wink: That cannot be that hard. :fearful:

No, it isn’t. But the default settings are better now.