Confluence and GitLab servers targeted by new ransomware strain

Over the past few days, a ransomware group has leveraged exploits for recently disclosed vulnerabilities to gain access to unpatched Confluence and GitLab servers, encrypt their files, and then ask server owners for a ransom payment to recover their data.

The attacks, spotted by security researcher MalwareHunterTeam and Tencent Security, have hit hundreds of servers so far, with both Windows and Linux systems being encrypted.

Impacted servers can be recognized by the addition of a ".locked" file extension at the end of each encrypted file.


Once a Confluence or GitHub server is hit, it starts returning 404 errors, preventing users from logging into their accounts. Administrators who investigate will eventually stumble over a file named __$$RECOVERY_README$$__.html, which contains the attackers' ransom demand.

The ransom note—pictured above—is identical to the one used by Cerber, a now-defunct ransomware operation that was active between 2016 and 2019.

However, analysis of the code suggests this is a completely different ransomware strain, one that merely tries to hijack another gang's brand in an attempt to scare victims into paying to regain access to their files.

According to Tencent, the group has been exploiting CVE-2021-26084 and CVE-2021-22205 to gain access to Confluence and GitLab servers, respectively.

Both vulnerabilities are remote code execution bugs that can grant attackers full control over unpatched systems; hence, the attackers' ability to run ransomware and encrypt files with ease.

Both issues have been disclosed earlier this year, have patches available, and have already been exploited in the wild by multiple threat actors since September and November, respectively, meaning that companies have no excuse to still be running outdated systems at this point.

For example, Confluence servers have also been targeted by the Atom Silo ransomware since October, according to a Sophos report.

Per Tencent, the vast majority of (new) Cerber victims are currently located in China, Germany, and the US. Attackers are asking for 0.04 bitcoin (~$2,000) to provide a decrypter to victims, a sum that will double after five days.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.