We have a tomcat server running on window 2012 server which seems to be constantly being attached by Sage 2.0 ransomeware. Some details of the sever,
1) Tomcat is running on port 80 and 8080. 2) Cygwin is also running. 3) There is no other ports open externally.
We are not sure how the infection is reaching the server in the first place. We formatted our server and re-installed everything, but it go infected again, this is when no files were copied from anywhere.
Any pointers to how we being to solve this problem would be really helpful.