Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Files locked by virus in version atlassian-confluence-7.18.0


I've updated the version to atlassian-confluence-7.18.0 because of security issues as you recommended. Everything was working fine till yesterday, 06/08/2022 

Yesterday files were encrypted and locked. all files added .locked extension and there is a file with instructions __$$RECOVERY_README$$__.html 


<h1>C&#069;&#82;BE&#82; &#82;ANSOMWA&#82;&#069;</h1>
<small id="title">Instructions</small>
<div id="texts">
<div id="en" style="display: block;">
<p>Can't you find the necessary files?<br>Is the content of your files not readable?</p>
<p>It is normal because the files' names and the data in your files have been encrypted by "Cer&#98;er&nbsp;Rans&#111;mware".</p>
<p>It means your files are NOT damaged! Your files are modified only. This modification is reversible.<br>From now it is not possible to use your files until they will be decrypted.</p>
<p>The only way to decrypt your files safely is to buy the special decryption software "Cer&#98;er&nbsp;Decryptor".</p>
<p>Any attempts to restore your files with the third-party software will be fatal for your files!</p>
<p>We have also downloaded a lot of private data from your network.<br>If you do not contact us in a 30 days, we will post information about your private data on public news webs.</p>
<p class="w331208">You can proceed with purchasing of the decryption software at your personal page:</p>
<p><span class="info"><a id="megaurl" class="url" href="http://pigetrzlperjreyr3fbytm27bljaq4eungv3gdq2tohnoyfrqu4bx5qd.onion/bt206cc9006080755e820adc4dfaf67612d214d99dd69610883b30dfcf569f16925231c9d3b7eaa20b04218697d93339a11e349a9b1aa2f39ef71b40bc7eaf6634e3da6feeb7f287a436be3954dcf672c5b2a1b6ad800ccf383e536fe6655a6568afd7defd42825da66959678f1473e67fae3fcd60c8a364d0afbf2d735cc63d5806/" target="_blank">http://pigetrzlperjreyr3fbytm27bljaq4eungv3gdq2tohnoyfrqu4bx5qd.onion/bt206cc9006080755e820adc4dfaf67612d214d99dd69610883b30dfcf569f16925231c9d3b7eaa20b04218697d93339a11e349a9b1aa2f39ef71b40bc7eaf6634e3da6feeb7f287a436be3954dcf672c5b2a1b6ad800ccf383e536fe6655a6568afd7defd42825da66959678f1473e67fae3fcd60c8a364d0afbf2d735cc63d5806/</a></span></p>
<p>At this page you will receive the complete instructions how to buy the decryption software for restoring all your files.</p>
<p>Also at this page you will be able to restore any one file for free to be sure "Cer&#98;er&nbsp;Decryptor" will help you.</p>
<p>If your personal page is not available for a long period there is another way to open your personal page - installation and use of Tor&nbsp;Browser:</p>
<li>run your Internet browser (if you do not know what it is run the Internet&nbsp;Explorer);</li>
<li>enter or copy the address <a href="" target="_blank"></a> into the address bar of your browser and press ENTER;</li>
<li>wait for the site loading;</li>
<li>on the site you will be offered to download Tor&nbsp;Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li>
<li>run Tor&nbsp;Browser;</li>
<li>connect with the button "Connect" (if you use the English version);</li>
<li>a normal Internet browser window will be opened &#097;fter the initialization;</li>
<li>type or copy the address <br><span class="info">http://pigetrzlperjreyr3fbytm27bljaq4eungv3gdq2tohnoyfrqu4bx5qd.onion/bt206cc9006080755e820adc4dfaf67612d214d99dd69610883b30dfcf569f16925231c9d3b7eaa20b04218697d93339a11e349a9b1aa2f39ef71b40bc7eaf6634e3da6feeb7f287a436be3954dcf672c5b2a1b6ad800ccf383e536fe6655a6568afd7defd42825da66959678f1473e67fae3fcd60c8a364d0afbf2d735cc63d5806/</span><br> in this browser address bar;</li>
<li>press ENTER;</li>
<li>the site should be loaded; if for some reason the site is not loading wait for a moment and try again.</li>
<p>Tor Browser may be blocked in your country or corporate network. Use Tor Browser over VPN.</p>
<p>If you have any problems during installation or use of Tor&nbsp;Browser, please, visit <a href="" target="_blank"></a> and type request in the search bar "Install Tor&nbsp;Browser Windows" and you will find a lot of training videos about Tor&nbsp;Browser installation and use.</p>
<p><strong>Additional information:</strong></p>
<p>You will find the instructions ("*RECOVERY_README*.html") for restoring your files in any folder with your encrypted files.</p>
<p>The instructions ("*RECOVERY_README*.html") in the folders with your encrypted files are not viruses! The instructions ("*RECOVERY_README*.html") will help you to decrypt your files.</p>
<p>Do not try to recover files yourself, this process can damage your data and recovery will become impossible.</p>
<p>Do not waste time trying to find the solution on the internet. The longer you wait, the higher will become the decryption software price.</p>

2 answers

1 vote

I'm afraid you've been hit with a ransomware virus.  It has nothing to do with Confluence, other than it has probably locked up a load of the Confluence files.

You'll need to get a security person to look into this, and you should probably report it to the police.  

Your options are limited though:

  • Pay the ransom and hope that the scammer is one of the more decent ones, and actually provides the unlocking 
  • Hope that your security people can find a way around it
  • Restore from the last backup, on a different server (one with better security and anti-virus protection)

You'll absolutely need to stop using the infected server, and get it off your network immediately, before it spreads further and while you work out what to do.

This server is VM dedicated to running confluence only. This happens the same time with Critical severity unauthenticated remote code execution vulnerability:

BTW I've already restored from backup and upgrading to the latest version. I'm not sure the latest version fixes this problem because my installation was hit after upgrade...

The same .... f

It's the same answer.

This is not ok, I've updated to 7.18.1 but after 4 hours of online Confluence was hit by the same malware with 100% CPU load and some mining executable run from /tmp with confluence user. Fun thing is that I've extended my subscription to one more year, and updated to the latest version the same hour it is available but this is still not solving the problem.

So have you installed a new download on a clean machine, and restored data from a pre-virus attack backup?

I've made a fresh install and attached the confluence data folder from the backup.

On an uninfected clean machine?

Using a new download from a non-infected source (i.e. Atlassian)?

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Confluence

An update on Confluence Cloud customer feedback – June 2022

Hi everyone, We’re always looking at how to improve Confluence and customer feedback plays an important role in making sure we're investing in the areas that will bring the most value to the most c...

374 views 2 11
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you