FYI I read this on diaspora:
We’ve been looking into the reports on the forum and source of the virus. We are confident that the attack vector was the nginx+php-fpm security issue that hit the web some time ago.
While it was not an issue in Nextcloud itself, we informed our users through all channels we had available, including a direct notification to Nextcloud servers. This likely explains why so few servers were impacted out of the hundreds of thousands of Nextcloud servers on the web.
Nextcloud’s recommendation for administrators is to upgrade their PHP packages and NGINX configuration file to the latest version.