Heimdal
article featured image

Contents:

A new ransomware operation has been observed hacking Zimbra servers to steal emails and encrypt files. Instead of demanding a ransom payment, the threat actors claim to require a donation to charity.

In March 2023, a ransomware operation dubbed MalasLocker began encrypting Zimbra servers, with victims reporting encrypted emails in both BleepingComputer and Zimbra forums. Users claimed finding suspicious JSP files in the /opt/zimbra/jetty_base/webapps/zimbra/ or /opt/zimbra/jetty/webapps/zimbra/public folder.

According to VirusTotal, these files were found under different names, including info.jsp, noops.jsp, and heartbeat.jsp.

Heartbeat.jsp webshell found on hacked Zimbra Server

Source

The Age Encryption

The Base64 encoded block in the ransom note decodes to an Age encryption tool header required to decrypt a victim’s private decryption key.

Developed by Filippo Valsorda, Google’s cryptographer and Go security lead, Age uses the X25519 (ECDH curve), ChaChar20-Poly1305, and HMAC-SHA256 algorithms. Few ransomware operations use this encryption method, and all of them do not target Windows systems.

Two such operations were reported, AgeLocker, discovered in 2020 and the other was found by MalwareHunterTeam in August 2022, both targeting QNAP devices.

Unusual Demand

The encryptor creates a ransom note named README.txt, which contains a unique ransom demand: a donation to a non-profit charity of the victim`s choice.

Unlike traditional ransomware groups, we’re not asking you to send us money. We just dislike corporations and economic inequality. […] We simply ask that you make a donation to a non-profit that we approve of. It’s a win-win, you can probably get a tax deduction and good PR from your donation if you want.

Source

The threat actors can be contacted via email or via a TOR URL that includes the group’s most current email address. The ransom notes do not contain a link to the ransomware gang’s data leak site, yet Emsisoft threat analyst Brett Callow found a link with the title “Somos malas… podemos ser peores.” (Translation: “We are bad…. we can be worse.”)

MalasLocker ransom note

Source

According to BleepingComputer, the MalasLocker data leak site currently distributes the stolen data for three companies and the Zimbra configuration for 169 other victims. There is also a lengthy message explaining the reasoning behind the operation.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Mihaela Popa

COMMUNICATIONS & PR OFFICER

Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE