Zimbra servers are being hacked by a new ransomware operation to steal emails and encrypt information. However, the threat actors assert that they need donations to charity rather than a ransom payment to offer an encryptor and stop data leakage. Around the end of March 2023, the MalasLocker ransomware campaign started encrypting Zimbra servers, and victims started posting on the Zimbra forums that their emails had been encrypted.
According to many victims on the Zimbra forums, the /opt/zimbra/jetty base/webapps/zimbra or /opt/zimbra/jetty/webapps/zimbra/public directories were found to contain malicious JSP files. These files have been identified by various names, including info.jsp, noops.jsp, and heartbeat.jsp [VirusTotal]. The media discovered Startup1_3.jsp [VirusTotal], which is built on an open-source webshell. No extra file extension is added to the file name while encrypting email communications. MalwareHunterTeam, a security researcher, said that every encrypted file has a notice at the conclusion stating, “This file is encrypted, look for README.txt for decryption instructions.” At this time, it is unknown how threat actors are accessing the Zimbra servers.
A donation to a non-profit organization that they “approve of” is the odd ransom demand made by the encryptor in ransom notes with the filename README.txt to acquire a decryptor and stop the leakage of stolen data. “Unlike traditional ransomware groups, we’re not asking you to send us money. We just dislike corporations and economic inequality,” reads the MalasLocker ransom note. “We simply ask that you make a donation to a non-profit that we approve of. It’s a win-win, you can probably get a tax deduction and good PR from your donation if you want.”
Either a threat actors’ email address or a TOR URL with their most recent email address can be found in the ransom letters. The bottom of the note also contains a Base64-encoded text piece that must be received to decrypt it; we shall cover decryptors in more depth later in the post. However, Brett Callow, an Emsisoft threat analyst, discovered a connection to the ransomware gang’s data leak site with the phrase “Somos malas… podemos ser peores,” which translates to “We are bad… we can be worse.” The Zimbra settings for 169 more victims and the stolen data for three businesses are being made available on the MalasLocker data leak website. The main page of the data leak website also includes a lengthy, emoji-filled letter outlining their mission and asking for ransoms.
“We’re a new ransomware group that have been encrypting companies’ computers to ask they donate money to whoever they want,” reads the MalasLocker data leak site. “We ask they make a donation to a nonprofit of their choice, and then save the email they get confirming the donation and send it to us so we can check the DKIM signature to make sure the email is real.”
If true, this ransom demand is extremely rare and moves the operation closer to the category of hacktivism. When a victim gives money to a charity in exchange for a decryptor, it is unknown if the threat actors would follow their word. The MalasLocker operation’s encryptor has not been located. However, the ransom note’s Base64-encoded block decodes to a header needed by the Age encryption tool to unlock a victim’s secret decryption key. Filippo Valsorda, a Google cryptographer and Go security lead, created the Age encryption tool, which employs the X25519 (an ECDH curve), ChaChar20-Poly1305, and HMAC-SHA256 algorithms.
Only a few ransomware operations use this unusual encryption technique, and none of them target Windows machines. However, AgeLocker detected in 2020, and MalwareHunterTeam, found in August 2022, both target QNAP devices. Additionally, the ransom letters from the AgeLocker and QNAP campaigns use identical wording, thus connecting at least those two operations. Although this is, at best, a weak point, the fact that all of these ransomware activities target non-Windows machines and use Age encryption may suggest a connection.