MalasLocker Ransomware targeting Zimbra Servers (May 17, 2023)

Ref# AL2023_41 | Date: May 29th 2023


MalasLocker is a special type of ransomware that targets Zimbra servers, encrypts data, and instructs victims to donate to charity rather than paying the standard ransom.


A new ransomware campaign called MalasLocker has been detected, targeting Zimbra servers to steal emails and encrypt files. What sets this operation apart is its unusual approach to ransom demands. Instead of requesting a monetary payment, the threat actors insist on charitable donations to a cause they approve of, in exchange for providing an encryptor and preventing data leaks.

The campaign, first identified by BleepingComputer, began encrypting Zimbra servers in late March 2023. Victims have reported the encryption of their emails on both BleepingComputer and Zimbra forums. The attackers have been found uploading suspicious JSP files to specific directories, such as /opt/zimbra/jetty_base/webapps/zimbra/ and /opt/zimbra/jetty/webapps/zimbra/public. These files, named info.jsp, noops.jsp, and heartbeat.jsp (according to Virus Total), as well as Startup1_3.jsp discovered by BleepingComputer, are associated with an open source webshell.

During the encryption process, the ransomware does not add any file extensions to the encrypted files. However, security researcher MalwareHunterTeam revealed that a message is appended to each encrypted file, stating, “This file is encrypted, look for README.txt for decryption instructions.” The exact method used by the threat actors to breach Zimbra servers remains unknown.

The encryptor generates ransom notes titled README.txt, which present an unconventional demand. Instead of money, the notes instruct victims to donate to a non-profit organization approved by the attackers. The ransom note explicitly states that the intention is not to collect money but to express a disdain for corporations and economic inequality. Victims are encouraged to view donations as an opportunity for tax deductions and positive public relations.

The ransom notes include contact information for the threat actors, either an email address or a TOR URL with an updated email address. At the bottom of the note, there is a section of Base64 encoded text that is crucial for obtaining a decryptor. More details about this aspect are expected to be discussed in the article.

Although the ransom notes do not provide a direct link to the ransomware group”s data leak site, a connection was discovered by Brett Callow, a threat analyst from Emsisoft. The data leak site, titled “Somos malas… podemos ser peores” (translated as “We are bad… we can be worse”), is currently distributing stolen data from three companies and the Zimbra configuration of 169 other victims.

The data leak site”s main page includes a lengthy message filled with emojis, outlining the group”s beliefs and ransom demands. The group identifies itself as a new ransomware group encrypting companies” computers and requesting donations to a non-profit organization of the victims” choice. Victims are instructed to save the confirmation email of their donation and send it to the group for verification using DKIM signature verification.

This ransom demand deviates from the norm and suggests a potential hacktivist motive behind the operation. However, whether the threat actors honor their promise to provide a decryptor upon donation to a charity remains unclear.

The encryptor used in the MalasLocker operation has not been identified yet. However, the ransom note contains a Base64 encoded section that decodes to an Age encryption tool header. This header is crucial for decrypting a victim”s private decryption key.

The Age encryption tool, developed by Filippo Valsorda, employs the X25519 (an ECDH curve), ChaChar20-Poly1305, and HMAC-SHA256 algorithms. This encryption method is uncommon, with only a few ransomware operations utilizing it, and none specifically targeting Windows devices. AgeLocker, discovered in 2020, and another ransomware variant detected by MalwareHunterTeam in August 2022 targeted QNAP devices.

Additionally, similarities in language between the ransom notes from the QNAP campaign, AgeLocker, and MalasLocker further indicate a possible connection between these operations. Although this link is tenuous, the consistent targeting of non-Windows devices and the use of Age encryption by these ransomware groups suggest a potential correlation among them.


Cyber Security tips to protect against the MalaLocker Ransomware:

  1. Keep all software, including operating systems and apps, up to date with the most recent security updates by regularly updating and patching it. By doing this, known vulnerabilities that threat actors might exploit are addressed.
  1. Use strong passwords and use multi-factor authentication (MFA) whenever possible to implement tight access controls. Limit each user”s access rights to those necessary for their position to reduce the potential attack surface.

  1. Perform routine backups: Regularly backup important data and store the backups offline or on a separate network segment. This guarantees that you can restore files from a secure backup source if they are encrypted ransomware.

  1. Implement comprehensive security measures: Companies and organizations should implement a comprehensive security strategy that includes both technical and human elements, such as regular security awareness training for employees to help them recognize and avoid social engineering attacks.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: MalasLocker Ransomware targeting Zimbra Servers.pdf