Ransomware/Encryption Question

Hello everyone.

With the WannaCry Worm going about, it made me think of a question I wish I had the answer to earlier.

Right now I have a Linux host and a Windows guest set up in KVM passthrough, both are connected to my nextcloud server where I do all of my cloud backups.

Let’s say my Windows guest got hit, and encrypted everything. Does that in turn encrypt what’s in my nextcloud folder, and it syncs to the server? Thus, the nextcloud server only has the encrypted data?

Of course this would apply to Dropbox, MEGA etc.

I'm pretty sure thats a yes.

3 Likes

That would be a yes indeed. I've seen it happen on a company Dropbox. One of the machines got infected and it encrypted the Dropbox folder, which then got synced to all computers because the encrypted version of the files is the new one.

Make sure your Windows box is fully up-to-date and don't do anything stupid with it. Run it as regular user instead of admin, practice safe browsing and don't open attachments without knowing the sender and confirming by phone that he/she did indeed send you something.

2 Likes

)Gotta keep that pr0n safe :wink:

Store your nextcloud data on a ZFS pool or something similar with snapshot capability. That way, if all your data gets encrypted and backed up, you can just roll back the snapshots to a point before the attack.

5 Likes

Yes, any service that syncs your data to cloud storage leaves it vulnerable to ransomware.

This is because the data is a live copy of what is on the computer, meaning that once your local copy is encrypted and synced, the old data no longer exists on the server.

As @anon54210716 pointed out, you need to use a system that keeps snapshots of your data on a different system.

Something like ShadowCopy or a local ZFS disk will not protect you if your system is compromised, as the offending malware will have access to these things.

Basically, make sure you have a backup plan.