Go to listing page

Newcomer MalasLocker Group Demands Ransom as Donation for Charity

Newcomer MalasLocker Group Demands Ransom as Donation for Charity
Zimbra servers exposed to the internet are facing a novel cyber threat from the new MalasLocker ransomware operation. What sets the operators of the campaign apart is their ransom demand; they request victims to pay donations to any charity. The attacker further advises victim organizations to get tax deductions and PR for making these donations.

Deeper insights into MalasLocker 

According to BleepingComputer, MalasLocker is targeting the Zimbra servers since the end of March, when several victims started reporting about the attacks on multiple forums.
  • The email messages are encrypted without any additional file extension appended at the end, but just the phrase This file is encrypted, look for README.txt for decryption instructions.
  • The ransomware drops a ransom note README.txt on the infected machine urging the victim to make a donation to any of the approved non-profit charities and send the confirmation email to attackers for verification purposes.
  • The ransom note provides the email address of the attacker or a TOR site link showing the most recent email address to contact the attackers.

So far, the leak site lists Zimbra configurations for 169 victims and stolen data leaked for three victims.

Key attributes of attack

The exact intrusion method into the Zimbra servers is still not known. However, here are some observations from the investigation.
  • Several victims observed JSP files uploaded to public Zimbra folders ‘/opt/zimbra/jetty_base/webapps/zimbra/’ or ‘/opt/zimbra/jetty/webapps/zimbra/public’.
  • These files were uploaded with different names, such as noops[.]jsp, info[.]jsp, heartbeat[.]jsp, and Startup1_3.jsp.
  • Moreover, MalasLocker uses the Age encryption tool for its encryption. 
  • It is an uncommon encryption technique used earlier by AgeLocker ransomware in July 2020.

Ending notes

As the MalasLocker ransomware operation continues to target Zimbra servers using uncommon tactics, experts are recommending proactive data security measures. These measures include implementing MFA and regularly encrypting and backing up sensitive data. Additionally, experts recommend regularly updating software and operating systems to ensure that security vulnerabilities are patched.
Cyware Publisher

Publisher

Cyware