August 2017, Nextcloud announced a Ransomware Protection app, designed to warn Nextcloud users of possible infection by Ransomware on their desktop. Some weeks ago, researchers at the German University of Konstanz, released a research paper describing a different approach and a Nextcloud app is now available based on this research. It enables Nextcloud users to easily undo the damage done by ransomware, using sophisticated analysis on uploads to separate potential ransomware data from legitimate data.
Research into ransomware
At the University, student Matthias Held, under supervision of professor Marcel Waldvogel, researched the behavior of Ransomware, aiming to answer the question: what would the most efficient ransomware look like? What would it do to extract maximum revenue from its victims?
Dissecting many known Ransomware tools revealed most are far from efficient, wasting time with double file writes or ineffective algorithms. The team decided to find out what the ideal way was to recover data from a theoretically very efficient piece of ransomware. A key finding was that, at its essence, Ransomware is simpler than normal malware. It only deals with making data inaccessible. It does not prevent usage of the rest of the computer, so users have avenues to recover their data. The team looked to exploit this fact.
Backups won’t do
Backups, on an attached drive to the computer, are not sufficient, as smart malware has the opportunity to damage backups when the drive is attached. A solution has to come from a hardware limitation to that, or perhaps a separate machine, not affected by the attack. The team looked at various potential mitigations including hardware solutions in the USB cable connecting a backup drive and file system snapshot technologies. At one point they realized that the Nextcloud server, used at the University (which is a customer of Nextcloud GmbH), qualifies as a second machine with a separate risk profile and already provides a file snapshot technology. The Trash feature in Nextcloud allow users to recover deleted files while the Versioning feature lets users bring back earlier versions of files.
Detection of suspicious files
Developing a Nextcloud app
With Nextcloud offering a flexible app architecture and the basic functionality of Trash and Versioning already available, the team started developing a solution that followed the results of their research. Essentially, their application tries to separate between ransomware actions and user actions to make rollback easier.
Their full paper details various elements of the solution: files would be examined and a Shannon entropy measure would determine whether the file is likely to be encrypted. Their implementation is clever in separating compressed data from encrypted files. Other important metrics include the number of files uploaded in over a short time period, or if lots of files with unknown extensions show up. The app closely looks at sync steps and tries to identify when a large number of files is being changed in a suspicious way.
When the user discovers their data has been taken ransom, they can visit the Ransomware Detection app and use its graphical user interface as a guide to recover their data. The likely candidates for recovery can be spotted and selected with the help of the the color guidance. Additionally, there is the option to add or remove entries from this recovery list. Of course users can also go over files one-by-one, but in tested scenarios the guided undo process significantly simplified and sped up the recovery process. Of course, if anything too little or too much has been rolled back in a first attempt, this can always be corrected later, as the Ransomware detection app simply makes use of the services of the existing Versions and Trash apps in Nextcloud.
When the user discovers their data has been taken ransom, they can visit the Ransomware Detection app and use its graphical user interface as a guide to recover their data. Of course users can also go over files one-by-one, but in tested scenarios the guided undo process simplified and sped up the recovery process significantly.
Recovery in action
A complementary solution
An interesting aspect of their approach is that it is complementary to the Nextcloud Ransomware protection app. The existing app warns users on possible infection while the new app provides recovery of data after the fact. The researchers even suspect much of the benefits of the app could be had even if the user does not have it installed. Once an attack has taken place, the user can install the app and use it to analyze the existing file versions on the server. A possible future update to the app would determine the likely point where infection took place and guide the user through the recovery.
The app uses some server resources, the team estimates this to be at about a 20-30% overhead on file upload, mostly caused by the Entropy Analysis. As large Nextcloud customers like the TU Berlin have shown that file upload makes up for far less than 10% of the load on a Nextcloud server, this makes for a reasonable trade off. The team does believe it is possible to delay the calculations to nightly cron jobs or even at the moment the user needs the data, however, with the limited performance impact, they don’t see this as a priority.
Another venue for improvement is to integrate deeper with the Nextcloud versioning system, which automatically clears data it no longer deems needed. Assigning higher priority to files likely modified just before potential malicious activity, the app could decrease the amount of data lost by a ransomware attack.
Presented soon, available now
At the upcoming Norwegian Information Security Conference (NISK 2018), the team will present their paper « Fighting Ransomware with Guided Undo ». You can read an abstract and download the full paper on Netfuture.ch.
Nextcloud Hub 9 vous permet de rester connecté. Découvrez de nouvelles fonctionnalités de fédération, l'automatisation des flux de travail, une refonte du design et bien plus encore dans votre plateforme de collaboration open-source préférée !
Nous vous présentons une mise à jour majeure de l'assistant Nextcloud IA, ainsi que de nouvelles informations sur notre collaboration avec plusieurs grands fournisseurs d'hébergement tels que IONOS et OVHcloud pour vous proposer des options d'IA en tant que service !
Bechtle et Nextcloud ont annoncé aujourd'hui une plateforme de collaboration entièrement administrée pour le secteur public, qui ne nécessite pas d'appel d'offres et peut être déployée immédiatement.
Découvrez comment passer de ownCloud à Nextcloud. Notre outil d'aide à la migration fournit des informations sur le processus de migration et vous aide à effectuer la transition en douceur.
Au cours de la dernière année, l'IA est devenue un sujet à la mode. Il y a de l'engouement, mais aussi du fondement. Il y a du positif et du négatif. Nous voulons vous offrir le positif, pas le négatif, et ignorer le battage médiatique ! […]
Nextcloud has been recognized with the World Summit Award Germany that selects and promotes local digital innovation improving society, aiming to contribute to the United Nations' agenda of sustainable development goals.
Maintenance updates 28.0.12, 29.0.9 and 30.0.2 for Nextcloud Hub 7, 8 and 9 respectively are here! Read an update summary and access full changelog on the website.
Frank Dengler from audriga joins the Nextcloud Enterprise Day program with a keynote about migration from SharePoint to Nextcloud. Read this article for more details about the keynote and the speaker.
Nous enregistrons certains cookies pour compter les visiteurs et faciliter l'utilisation du site. Ces données ne quittent pas notre serveur et ne sont pas destinées à vous suivre personnellement ! Consultez notre politique de confidentialité pour plus d'informations Personnaliser
Les cookies utilisés pour enregistrer les données saisies dans les formulaires, telles que le nom, l'adresse électronique, le numéro de téléphone et la langue préférée.
nc_form_fields
Mémorise les données saisies dans les formulaires pour une prochaine visite (nom, adresse électronique, numéro de téléphone et langue préférée).
Les cookies statistiques collectent des informations de manière anonyme et nous aident à comprendre comment nos visiteurs utilisent notre site web. Nous utilisons la solution open source de mesure de statistiques web Matomo
Matomo
_pk_ses*: Compte la première visite de l'utilisateur
_pk_id*: Aide à ne pas compter deux fois les visites.
mtm_cookie_consent: Se souvient que l'utilisateur a donné son accord pour le stockage et l'utilisation de cookies.
_pk_ses*: 30 minutes
_pk_id*: 28 jours
mtm_cookie_consent: 30 jours