MalasLocker ransomware targets Zimbra servers, calls for charity donation

Picture: Bing Create

A brand new ransomware operation is hacking Zimbra servers to steal emails and encrypt recordsdata. Nonetheless, as an alternative of demanding a ransom cost, the risk actors declare to require a donation to charity to offer an encryptor and forestall information leaking.

The ransomware operation, dubbed MalasLocker by BleepingComputer, started encrypting Zimbra servers in direction of the top of March 2023, with victims reporting in each the BleepingComputer and Zimbra boards that their emails had been encrypted.

Quite a few victims within the Zimbra boards report discovering suspicious JSP recordsdata uploaded to the /decide/zimbra/jetty_base/webapps/zimbra/ or /decide/zimbra/jetty/webapps/zimbra/public folders.

These recordsdata had been discovered below totally different names, together with data.jsp, noops.jsp, and heartbeat.jsp [VirusTotal]. Startup1_3.jsp [VirusTotal], which BleepingComputer discovered, is predicated on an open-source webshell.

Heartbeat.jsp webshell found on hacked Zimbra Server
Heartbeat.jsp webshell discovered on hacked Zimbra Server

When encrypting e mail messages, no additional file extension is appended to the file’s title. Nonetheless, safety researcher MalwareHunterTeam advised BleepingComputer that they append a “This file is encrypted, search for README.txt for decryption directions” message on the finish of each encrypted file.

File encrypted by MalasLocker
File encrypted by MalasLocker
Supply: BleepingComputer

It is unclear right now how the risk actors are breaching the Zimbra servers.

An uncommon ransom demand

The encryptor may even create ransom notes named README.txt that include an uncommon ransom demand to obtain a decryptor and forestall the leaking of stolen information: a donation to a non-profit charity that they “approve of.”

“In contrast to conventional ransomware teams, we’re not asking you to ship us cash. We simply dislike companies and financial inequality,” reads the MalasLocker ransom observe.

“We merely ask that you simply make a donation to a non-profit that we approve of. It is a win-win, you may most likely get a tax deduction and good PR out of your donation if you need.”

MalasLocker ransomware note
MalasLocker ransom observe
Supply: BleepingComputer

The ransom notes both comprise an e mail tackle to contact the risk actors or a TOR URL that features probably the most present e mail tackle for the group. The observe additionally has a Base64 encoded textual content part on the backside that’s required to obtain a decryptor, which we’ll go into extra element later within the article.

Whereas the ransom notes don’t comprise a hyperlink to the ransomware gang’s information leak web site, Emsisoft risk analyst Brett Callow discovered a hyperlink to their information leak web site, having the title, “Somos malas… podemos ser peores,” translated to, “We’re unhealthy… we might be worse.”

The MalasLocker information leak web site at present distributes the stolen information for 3 firms and the Zimbra configuration for 169 different victims.

The principle web page of the info leak web site additionally incorporates a protracted emoji-filled message explaining what they stand for and the ransoms they require.

“We’re a brand new ransomware group which have been encrypting firms’ computer systems to ask they donate cash to whoever they need,” reads the MalasLocker information leak web site.

“We ask they make a donation to a nonprofit of their alternative, after which save the e-mail they get confirming the donation and ship it to us so we are able to examine the DKIM signature to verify the e-mail is actual.”

This ransom demand may be very uncommon and, if sincere, places the operation extra into the realm of hacktivism.

Nonetheless, BleepingComputer has but to find out if the risk actors are holding their phrase when a sufferer donates cash to a charity for a decryptor.

Unusual Age encryption

BleepingComputer has not been capable of finding the encryptor for the MalasLocker operation. Nonetheless, the Base64 encoded block within the ransom observe decodes to an Age encryption software header required to decrypt a sufferer’s non-public decryption key.
-> X25519 GsrkJHxV7l4w2GPV56Ja/dtKGnqQFj/qUjnabYYqVWY
-> .7PM/-grease {0DS )2D'y,c BA
--- 7bAeZFny0Xk7gqxscyeDGDbHjsCvAZ0aETUUhIsXnyg

The Age encryption software was developed by Filippo Valsorda, cryptographer and Go safety lead at Google, and makes use of the X25519 (an ECDH curve), ChaChar20-Poly1305, and HMAC-SHA256 algorithms.

That is an unusual encryption methodology, with just a few ransomware operations utilizing it, and all of them not focusing on Home windows units.

The primary was AgeLocker, found in 2020 and the opposite was discovered by MalwareHunterTeam in August 2022, each focusing on QNAP units.

MalwareHunterTeam tweet

Moreover, the ransom notes from the QNAP marketing campaign and AgeLocker share comparable language, additional linking these two operations no less than.

Whereas this can be a weak hyperlink at greatest, the focusing on of non-Home windows units and utilizing Age encryption by all of those ransomware operations might point out that they’re associated.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles