Protect Against Ransomware & Malware with Secure Cloud Storage

Organizations have known for years that they have to be vigilant with email attachments, but when’s the last time you emailed a document, instead of simply sharing a link to your cloud storage? Dropbox, even its paid plans such as Dropbox Pro or Dropbox Business do not scan uploaded files for viruses – making it easy for users to inadvertently share infected files with customers, vendors, and colleagues.

Think about the disruption and reputational damage to your business if critical files were “crypto locked” for ransom, or a ransomware infection was traced back to one of your employees who mindlessly forwarded an infected file to a customer. The desperation of the pandemic, and under-capacitated IT departments setting up users for remote work, has led to an explosion in ransomware attacks, including on hospitals, in 2020.

Aside from the privacy and data sovereignty benefits of switching to self-hosted cloud storage, there is now one more reason to move your enterprise file sync & share solution to Nextcloud. Nextcloud supports two features that are exceedingly relevant in a dangerous cyber environment filled with threats such as ransomware: Virus Scanning and Ransomware Protection.

Nextcloud’s virus scanner makes use of a time-tested, open source scanning engine – ClamAV – which most sysadmins will know has been used for years on mail servers to protect users from infected email attachments. ClamAV has been acquired by Cisco, and is maintained by the Cisco Talos Intelligence Group with new virus definitions to allow your server to detect new threats, including viruses, trojans, and ransomware.

Virus Scanning with ClamAV definitions

If a Nextcloud user attempts to upload a file flagged as infected by ClamAV, the virus scanner will log the event, and prevent the file from being uploaded to the user’s storage (and shared onward to other users). This helps contain any potential infection before it has the opportunity to spread throughout your network and over the Internet. Users should also run a virus scanner with real-time protection on their endpoint (e.g. Bitdefender, Windows Defender, NOD32), so any infections are detected and purged from their local machines.

Enabling the virus scanner does add some overhead to the system resources consumed by your Nextcloud instance, but configuring it to listen through the Unix socket (as opposed to as an executable) will minimize the performance impact as much as possible. Depending on the number of concurrent users and the size of the files being scanned, you would want to provision an adequately powerful server to account for this overhead.

Ransomware Protection Powered by Pattern Matching & File Entropy

Ransomware protection in Nextcloud is in addition to the protection already provided by the virus scanner. Ransomware protection uses pattern matching and an entropy technique to heuristically identify upload patterns that resemble files that have been encrypted by ransomware. Before the encrypted data can overwrite intact versions of the files previously stored on Nextcloud, the ransomware protection will visually alert the user who can seek help from an administrator.

By default, neither of these essential security features are enabled in Nextcloud. The reason for this is because the virus scanner requires the configuration of the clamd service on the server, which is a dependency that is separate from a standard Nextcloud install.

File Versioning vs. Backups with Nextcloud

Nextcloud automatically keeps file versions based on this schedule providing the possibility of rolling back files to a previous version archived by Nextcloud. This can be invaluable when a file is damaged for any reason including user error, ransomware infection, or data corruption on a user’s local hard drive.

File Versioning in Nextcloud

File versioning provides a convenient way to undo unwanted changes to files, but as any storage administrator worth their salt would tell you, versioning is not equal to backup. It is also recommended to have separate “out of band” backups such as automatic snapshots of the entire data directory of Nextcloud, including all of the individual user directories stored within.

Policy-based Backups (Snapshots) at Cloud Provider

A policy-based backup or snapshot schedule, if your Nextcloud instance is hosted with a cloud provider such as Oracle Cloud or Google Cloud Platform is a cost-effective and reliable way to achieve incremental backups, as an additional layer of protection to file versioning. Snapshots are stored by a cloud provider’s object storage service, providing high levels of durability (Eleven 9’s of annual durability) and the ability to restore and retrieve backed up files any time from a separate block volume without affecting your running Nextcloud instance.

It is a best practice to flush any files to disk (from memory) as close as possible to the time window when a scheduled backup begins, to ensure the snapshot is consistent with the state of the filesystem to the greatest extent possible.

Backups do not necessarily add a lot of additional cost to hosting your Nextcloud instance. For instance, Oracle Cloud snapshots are billed at $0.026/GB/mo for the actual capacity used. Because the backups are incremental, you only incur cost for the changed data from the previous backup – each time a new backup is taken. From the cloud dashboard, you can restore a backup from any point-in-time for which a backup exists – depending on your chosen backup frequency and retention period.

2 Factor Authentication and Passwordless Login

Like almost any other modern web service, Nextcloud supports 2 Factor Authentication (2FA) using a TOTP token on your iOS or Android mobile phone. Unlike SMS-based 2FA, the TOTP token is time-based, so it will function even without a WiFi or mobile data connection. This is helpful, for example, when the user is abroad and cannot receive verification texts from special SMS numbers (i.e. shortcodes) while roaming on a foreign carrier.

TOTP authentication is also resistant against “SIM swap” attacks, where an attacker contacts the mobile carrier and impersonates the subscriber to have the number transferred onto another SIM card under the attackers’ control. “SIM swapping” is commonly used to steal credentials from VIPs such as celebrities, executives, and government officials, in addition to journalists, and private individuals invested in cryptocurrency.

By simply downloading a mobile app such as Google, Microsoft Authenticator, or Authy, Nextcloud users can set up 2FA to stop an attacker in case their password is discovered from another website that is compromised, or by a brute-force attack. Nextcloud also supports passwordless login using a FIDO2 security key, such as the YubiKey. The YubiKey is a hardware token which plugs into a USB port to allow the user to authenticate by simply touching the button on the device.

According to this case study, well-known companies such as Google have not suffered successful phishing attacks since requiring their employees to use physical security keys.

Centralized Monitoring & Logging

Graylog Centralized Logging with Elasticsearch

For a forensic-level of oversight into the activities on your organization’s Nextcloud instance, many administrators choose to use tools such as Graylog to aggregate and archive the log output from their Nextcloud server. Because Nextcloud supports outputting logs to Syslog, it can be replayed to a Graylog endpoint with Rsyslog. Once ingested into Graylog, the log data is searchable with Elasticsearch with a high-performance MongoDB backend.

The logging level can be configured in Nextcloud to log activities with timestamps including successful/failed logins, client IP addresses, file accesses, warnings and errors allowing rapid diagnosis of technical issues and detection of attempts to cross authorized access boundaries. The external logging capability can be used in conjunction with the Nextcloud Auditing app to control the granularity of the data that is recorded, depending on your organization’s needs.

OpenNMS and Grafana Monitoring and Visualization

Nextcloud also provides an external XML monitoring endpoint which can be integrated with third-party tools such as OpenNMS and Grafana to visualize stats including system load, active users, memory, and free space to alert administrators when their Nextcloud server may be reaching its provisioned capacity, so maintenance can be performed before users encounter any degradation in performance.


Nextcloud is a more powerful, enterprise file sync & storage service that your organization can deploy on any infrastructure of its choice for the utmost in security, privacy, and freedom. With features and extensions that are made with security against today’s evolving cyber threats in mind, our team would be pleased to consult and assist with Nextcloud deployment in your organization – contact us today.