Virus-encoder and NextCloud

Hi, All sorry for my English, Translated from Russian.

No_more_ransom, xtbl and similar stuff.

Immediately after the launch of the virus scans all available drives, including network and cloud storage, to determine which files will be encrypted.
The virus encrypts files and renames them - file.xtbl

Directories of synchronization with clouds are naturally located on local HDD and when changing files in these directories, the synchronization client instantly synchronizes everything with the cloud, etc. data is copied to all PCs for which this directory is shared

It occurred to me to force NCSync-client not to synchronize encrypted files with the server - by adding masks of files (*. Xtbl) to the list of exceptions. But not everything is as simple as it seemed.

If you modulate the action of a virus by renaming the file file.txt> file.xtbl, then the rule does not synchronize the * .xtbl files in the NCSync-client, but the file.txt that is located on the server is removed to the cloud storage bin.

How do I get NCSync-client work correctly in this situation, do not synchronize the files renamed the virus and do not delete the not infected file from the server.

1 Like

First, make a backup of all data on your server. Increase the quota of the user that his trash bin is large enough to hold all files. Disconnect the infected client and don’t reconnect it. After cleaning the computer, install the NC client again and start a fresh sync from the server.

You can the start to restore the original file. Make sure none of the other clients is infected.

There is no real protection on server-side. If you see it early enough you can stop the client and restore some files of the trash bin. Only backups are an efficient way to prevent data loss.

1 Like