About a month ago there was an urgent security notice from the Nexcloud devs regarding a flaw in Nginx php-fpm and the associated Nextcloud config. Unfortunately we are now seeing it being exploited in the wild.
A new ransomware has been found in the wild that is currently undetected by antivirus engines on public scanning platforms. Its name is NextCry due to the extension appended to encrypted files and that it targets clients of the NextCloud file sync and share service.
The malware targets Nextcloud instances and for the time being there is no free decryption tool available for victims.
The Nextcloud devs have confirmed that it doesn't appear to be an issue with Nextcloud itself and that patching and updating is highly advised.
This brings to mind some extra security measures I do for Nextcloud on top of my standard server checklist
- [ pfsense ] basic Geo Blocking with pfBlockerNGGeneral.
- [ pfsense ] IDS with Suricata.
- [ Graylog ] I have set up with an alert if a known ransomware file extension is detected on any of my systems (loggin through rsyslog and sidecars).
- [ fail2ban ] - set up to monitor both nginx logs and nextcloud logs.
- [ Nextcloud APP ] - Brute-force settings
- [ Nextcloud APP ] - Antivirus for files
- [ Nextcloud APP ] - Ransomware protection
- [ Nextcloud APP ] - Ransomware recovery
- [ Nextcloud APP ] - Suspicious Login
- [ Nextcloud APP ] - Two-Factor TOTP Provider
Have extra security advice? Let me know in the comments down below!