Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Files locked by virus in version atlassian-confluence-7.18.0

Eugene
Eugene June 8, 2022

Hi,

I've updated the version to atlassian-confluence-7.18.0 because of security issues as you recommended. Everything was working fine till yesterday, 06/08/2022 

Yesterday files were encrypted and locked. all files added .locked extension and there is a file with instructions __$$RECOVERY_README$$__.html 

 

<h1>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;</h1>
<small id="title">Instructions</small>
</div>
<div id="texts">
<div id="en" style="display: block;">
<p>Can't you find the necessary files?<br>Is the content of your files not readable?</p>
<p>It is normal because the files' names and the data in your files have been encrypted by "Cer&#98;er&nbsp;Rans&#111;mware".</p>
<p>It means your files are NOT damaged! Your files are modified only. This modification is reversible.<br>From now it is not possible to use your files until they will be decrypted.</p>
<p>The only way to decrypt your files safely is to buy the special decryption software "Cer&#98;er&nbsp;Decryptor".</p>
<p>Any attempts to restore your files with the third-party software will be fatal for your files!</p>
<p>We have also downloaded a lot of private data from your network.<br>If you do not contact us in a 30 days, we will post information about your private data on public news webs.</p>
<hr>
<p class="w331208">You can proceed with purchasing of the decryption software at your personal page:</p>
<p><span class="info"><a id="megaurl" class="url" href="http://pigetrzlperjreyr3fbytm27bljaq4eungv3gdq2tohnoyfrqu4bx5qd.onion/bt206cc9006080755e820adc4dfaf67612d214d99dd69610883b30dfcf569f16925231c9d3b7eaa20b04218697d93339a11e349a9b1aa2f39ef71b40bc7eaf6634e3da6feeb7f287a436be3954dcf672c5b2a1b6ad800ccf383e536fe6655a6568afd7defd42825da66959678f1473e67fae3fcd60c8a364d0afbf2d735cc63d5806/" target="_blank">http://pigetrzlperjreyr3fbytm27bljaq4eungv3gdq2tohnoyfrqu4bx5qd.onion/bt206cc9006080755e820adc4dfaf67612d214d99dd69610883b30dfcf569f16925231c9d3b7eaa20b04218697d93339a11e349a9b1aa2f39ef71b40bc7eaf6634e3da6feeb7f287a436be3954dcf672c5b2a1b6ad800ccf383e536fe6655a6568afd7defd42825da66959678f1473e67fae3fcd60c8a364d0afbf2d735cc63d5806/</a></span></p>
<p>At this page you will receive the complete instructions how to buy the decryption software for restoring all your files.</p>
<p>Also at this page you will be able to restore any one file for free to be sure "Cer&#98;er&nbsp;Decryptor" will help you.</p>
<hr>
<p>If your personal page is not available for a long period there is another way to open your personal page - installation and use of Tor&nbsp;Browser:</p>
<ol>
<li>run your Internet browser (if you do not know what it is run the Internet&nbsp;Explorer);</li>
<li>enter or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site loading;</li>
<li>on the site you will be offered to download Tor&nbsp;Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>run Tor&nbsp;Browser;</li>
<li>connect with the button "Connect" (if you use the English version);</li>
<li>a normal Internet browser window will be opened &#097;fter the initialization;</li>
<li>type or copy the address <br><span class="info">http://pigetrzlperjreyr3fbytm27bljaq4eungv3gdq2tohnoyfrqu4bx5qd.onion/bt206cc9006080755e820adc4dfaf67612d214d99dd69610883b30dfcf569f16925231c9d3b7eaa20b04218697d93339a11e349a9b1aa2f39ef71b40bc7eaf6634e3da6feeb7f287a436be3954dcf672c5b2a1b6ad800ccf383e536fe6655a6568afd7defd42825da66959678f1473e67fae3fcd60c8a364d0afbf2d735cc63d5806/</span><br> in this browser address bar;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>
</ol>
<p>Tor Browser may be blocked in your country or corporate network. Use Tor Browser over VPN.</p>
<p>If you have any problems during installation or use of Tor&nbsp;Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the search bar "Install Tor&nbsp;Browser Windows" and you will find a lot of training videos about Tor&nbsp;Browser installation and use.</p>
<hr>
<p><strong>Additional information:</strong></p>
<p>You will find the instructions ("*RECOVERY_README*.html") for restoring your files in any folder with your encrypted files.</p>
<p>The instructions ("*RECOVERY_README*.html") in the folders with your encrypted files are not viruses! The instructions ("*RECOVERY_README*.html") will help you to decrypt your files.</p>
<p>Do not try to recover files yourself, this process can damage your data and recovery will become impossible.</p>
<p>Do not waste time trying to find the solution on the internet. The longer you wait, the higher will become the decryption software price.</p>
</div>

Answer
Watch
Like # people like this
1210 views

2 answers

1 vote
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 8, 2022

I'm afraid you've been hit with a ransomware virus.  It has nothing to do with Confluence, other than it has probably locked up a load of the Confluence files.

You'll need to get a security person to look into this, and you should probably report it to the police.  

Your options are limited though:

  • Pay the ransom and hope that the scammer is one of the more decent ones, and actually provides the unlocking 
  • Hope that your security people can find a way around it
  • Restore from the last backup, on a different server (one with better security and anti-virus protection)

You'll absolutely need to stop using the infected server, and get it off your network immediately, before it spreads further and while you work out what to do.

View More Comments
Eugene
Eugene June 8, 2022

This server is VM dedicated to running confluence only. This happens the same time with Critical severity unauthenticated remote code execution vulnerability: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

Like
Eugene
Eugene June 8, 2022

BTW I've already restored from backup and upgrading to the latest version. I'm not sure the latest version fixes this problem because my installation was hit after upgrade...

Like
Reply
0 votes
Viktor Bogutskii
Viktor Bogutskii
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 19, 2022

The same .... f

View More Comments
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 21, 2022

It's the same answer.

Like
Eugene
Eugene June 21, 2022

This is not ok, I've updated to 7.18.1 but after 4 hours of online Confluence was hit by the same malware with 100% CPU load and some mining executable run from /tmp with confluence user. Fun thing is that I've extended my subscription to one more year, and updated to the latest version the same hour it is available but this is still not solving the problem.

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 21, 2022

So have you installed a new download on a clean machine, and restored data from a pre-virus attack backup?

Like
Eugene
Eugene June 22, 2022

I've made a fresh install and attached the confluence data folder from the backup.

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 22, 2022

On an uninfected clean machine?

Using a new download from a non-infected source (i.e. Atlassian)?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
DEPLOYMENT TYPE
SERVER
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.