Malicious users are exploiting a vulnerability in Oracle WebLogic CVE-2019-2725 to install a ransomware called Sodinokibi.
Once executed, the Trojan creates the followoing file:
[PATH TO ENCRYPTED FILES]\[RANDOM EXTENSION]-HOW-TO-DECRYPT.txt and deletes Shadow Volume Copies and disables Windows startup repair.
Next, the Trojan encrypts files on the compromised server. The Trojan appends a random extension to encrypted files that is unique for each compromised computer and creates the a ransom note file in each folder containing encrypted files: [PATH TO ENCRYPTED FILES]\[RANDOM EXTENSION]-HOW-TO-DECRYPT.txt
The ransom note informs the user their files have been encrypted and provides instructions on how they may pay to have the files decrypted.
Unfortunately CVE-2019-2725 is very easy for attackers to exploit, as anyone with HTTP access to a WebLogic server could carry out an attack. Because of this, the bug has a CVSS v3.0 Base Score: 9.8 CRITICAL.
So how safe are you feeling when vising a Weblogic server app these days? :/