August 2017, Nextcloud announced a Ransomware Protection app, designed to warn Nextcloud users of possible infection by Ransomware on their desktop. Some weeks ago, researchers at the German University of Konstanz, released a research paper describing a different approach and a Nextcloud app is now available based on this research. It enables Nextcloud users to easily undo the damage done by ransomware, using sophisticated analysis on uploads to separate potential ransomware data from legitimate data.
At the University, student Matthias Held, under supervision of professor Marcel Waldvogel, researched the behavior of Ransomware, aiming to answer the question: what would the most efficient ransomware look like? What would it do to extract maximum revenue from its victims?
Dissecting many known Ransomware tools revealed most are far from efficient, wasting time with double file writes or ineffective algorithms. The team decided to find out what the ideal way was to recover data from a theoretically very efficient piece of ransomware. A key finding was that, at its essence, Ransomware is simpler than normal malware. It only deals with making data inaccessible. It does not prevent usage of the rest of the computer, so users have avenues to recover their data. The team looked to exploit this fact.
Backups, on an attached drive to the computer, are not sufficient, as smart malware has the opportunity to damage backups when the drive is attached. A solution has to come from a hardware limitation to that, or perhaps a separate machine, not affected by the attack. The team looked at various potential mitigations including hardware solutions in the USB cable connecting a backup drive and file system snapshot technologies. At one point they realized that the Nextcloud server, used at the University (which is a customer of Nextcloud GmbH), qualifies as a second machine with a separate risk profile and already provides a file snapshot technology. The Trash feature in Nextcloud allow users to recover deleted files while the Versioning feature lets users bring back earlier versions of files.
Detection of suspicious files
With Nextcloud offering a flexible app architecture and the basic functionality of Trash and Versioning already available, the team started developing a solution that followed the results of their research. Essentially, their application tries to separate between ransomware actions and user actions to make rollback easier.
Their full paper details various elements of the solution: files would be examined and a Shannon entropy measure would determine whether the file is likely to be encrypted. Their implementation is clever in separating compressed data from encrypted files. Other important metrics include the number of files uploaded in over a short time period, or if lots of files with unknown extensions show up. The app closely looks at sync steps and tries to identify when a large number of files is being changed in a suspicious way.
When the user discovers their data has been taken ransom, they can visit the Ransomware Detection app and use its graphical user interface as a guide to recover their data. The likely candidates for recovery can be spotted and selected with the help of the the color guidance. Additionally, there is the option to add or remove entries from this recovery list. Of course users can also go over files one-by-one, but in tested scenarios the guided undo process significantly simplified and sped up the recovery process. Of course, if anything too little or too much has been rolled back in a first attempt, this can always be corrected later, as the Ransomware detection app simply makes use of the services of the existing Versions and Trash apps in Nextcloud.
When the user discovers their data has been taken ransom, they can visit the Ransomware Detection app and use its graphical user interface as a guide to recover their data. Of course users can also go over files one-by-one, but in tested scenarios the guided undo process simplified and sped up the recovery process significantly.
Recovery in action
An interesting aspect of their approach is that it is complementary to the Nextcloud Ransomware protection app. The existing app warns users on possible infection while the new app provides recovery of data after the fact. The researchers even suspect much of the benefits of the app could be had even if the user does not have it installed. Once an attack has taken place, the user can install the app and use it to analyze the existing file versions on the server. A possible future update to the app would determine the likely point where infection took place and guide the user through the recovery.
The app uses some server resources, the team estimates this to be at about a 20-30% overhead on file upload, mostly caused by the Entropy Analysis. As large Nextcloud customers like the TU Berlin have shown that file upload makes up for far less than 10% of the load on a Nextcloud server, this makes for a reasonable trade off. The team does believe it is possible to delay the calculations to nightly cron jobs or even at the moment the user needs the data, however, with the limited performance impact, they don’t see this as a priority.
Another venue for improvement is to integrate deeper with the Nextcloud versioning system, which automatically clears data it no longer deems needed. Assigning higher priority to files likely modified just before potential malicious activity, the app could decrease the amount of data lost by a ransomware attack.
At the upcoming Norwegian Information Security Conference (NISK 2018), the team will present their paper “Fighting Ransomware with Guided Undo”. You can read an abstract and download the full paper on Netfuture.ch.
The Nextcloud app is already available in the Nextcloud app store, still in testing by the team.
The results of the research and the Nextcloud Ransomware Detection app are scheduled to be presented also at the upcoming Nextcloud Conference in August in Berlin, Germany.
The landing page for our upcoming Nextcloud Hub release is now live! On September 27, 2025, at 10AM (CEST), we will present the latest Nextcloud Hub live from the Nextcloud Community Conference in Berlin, Germany. And you can be part of it, too, by signing up for the online launch! While you’re registering, you might […]
Read More
Nextcloud has published its first Digital Sovereignty Index (DSI) to showcase the status of digital sovereign infrastructure.
Read More
In early 2025, BigTech hyperscalers in the US began to push new “sovereign cloud” offerings in a big PR campaign in Europe. In the past weeks, their narrative has collapsed. It’s not critics or watchdogs exposing the contradictions — the tech firms themselves have admitted their "sovereign" promises are empty.
Read More
Have you ever wondered how to develop an app for Nextcloud? With our tutorials, you can get started in no time! Start developing an app now.
Read More
Discover the Microsoft 365 alternative by Nextcloud and IONOS: the Nextcloud Workspace office suite, launching in the course of 2025.
Read More
Nextcloud becomes the first cloud software platform to earn the Blauer Engel ecolabel, proving that digitally sovereign and green IT is possible.
Read More
In the Nextcloud 2024 wrap-up, we want to take a moment to celebrate this year's achievements. Join us as we continue to reimagine what’s possible - shaping a world where open source, privacy and connection come together and drive progress for the greater good.
Read More
Organisations, small and large, need a way to ensure the resiliency and digital sovereignty of their operations – an open-source, privacy-respecting alternative to Teams. And today, we present that solution - Nextcloud Talk.
Read More
Nextcloud has been recognized with the World Summit Award Germany that selects and promotes local digital innovation improving society, aiming to contribute to the United Nations' agenda of sustainable development goals.
Read More
Nextcloud has been awarded Platinum at the IT Awards 2024. Today, we celebrate this win together!
Read More
The first ethical, open-source AI assistant that can get a multitude of tasks done for you without compromising your data.
Read More
DIE ZEIT, a prominent German outlet, interviewed Nextcloud’s founder Frank Karlitschek for an article on Microsoft’s anti-competitive behaviour on the European office software market. Read for a recap of the article and the key takeaways.
Read More
MagentaCLOUD’s migration to Nextcloud in 2021 resulted in a fully equipped Online Storage with an integrated online office suite that further improves the user experience, flexibility and security for customers.
Read More
We bring you a major update to the Nextcloud AI Assistant, plus the news we work with several big hosting providers like IONOS and OVHcloud to bring AI-as-a-Service options to you!
Read More
Bechtle and Nextcloud announce today a complete managed collaboration platform for the public sector that requires no tender and can be deployed immediately.
Read More
Discover how to make the switch from ownCloud to Nextcloud. Our quick guide provides insights into the migration process, helping you make the transition smoothly.
Read More
Today, US-based file sync & share vendor Kiteworks announced their acquisition of ownCloud and Dracoon. Kiteworks points out that their customers now have access to their file-sharing application. It is to be expected they will not maintain 3 similar products, but customers will have to migrate to the US firms’ platform or look for another […]
Read More
Nextcloud founder and CEO Frank Karlitschek earns the honorary SFS Award at the 20th annual SFSCON taking place in South Tyrol, Italy.
Read More
As part of Schleswig-Holstein's state digitization strategy, the state chancellery has announced they will work with Nextcloud to develop AI for working with government documents. This comes just after we announced the first private AI assistant last weekend with Hub 6. The German state already uses Nextcloud and their AI strategy aligns with our work on ethical, local AI technologies.
Read More
Over the last year, AI has become a popular topic. Some is hype, some is substance. Some is good, some is bad. We want to give you the good, not the bad, and ignore the hype! AI has a ton of opportunity – but also risk. So we put you in control – off by […]
Read More
The countdown is on. On September 27 and 28 we are meeting up in Berlin, Germany, for the annual Nextcloud Community Conference 2025. Get ready for two full days of workshops, talks, and networking with contributors, developers, and open source enthusiasts from around the world. Do you want to deepen your technical skills? Explore the […]
Read More
With the EU law proposal “Regulation to Prevent and Combat Child Sexual Abuse” — more commonly know as the EU Chat Control Law — our democracy is threatened from the inside: by our own governments. Citing child protection as the reason, the EU wants to backdoor end-to-end encryption, so they can access and read any […]
Read More
Join our workshops on September 27 and 28 as we come together in Berlin, Germany, for the Nextcloud Community Conference: a weekend of connecting, sharing, and building together. This year, we’re excited to bring you a series of hands-on workshops designed to help you sharpen your skills, explore new ideas, and collaborate with experts. From […]
Read More
