A new ransomware variant targets Zimbra servers — but doesn’t demand a direct payment for decryption.
The ransomware, dubbed MalasLocker by BleepingComputer, began affecting Zimbra users in March 2023. It encrypts emails, adding a message that reads:
This file is encrypted, look for the README.txt for decryption instructions.
Here’s where things get weird: MalasLocker requires victims to donate to a non-profit charity.
“Your files have been encrypted with AES military-grade encryption,” the ransom note reads. “Our data recovery and security specialists can help you decrypt your files and secure your server from hackers. Contact us and we’ll provide a decrypter that will safely and quickly restore your files.”
“Any other attempts to recover your files will be a waste of your time and money, and risk permanent data loss.”
“… Unlike traditional ransomware groups, we’re not asking you to send us money. We just dislike corporations and economic inequality. We simply ask that you make a donation to a non-profit that we approve of. It’s a win-win, you can probably get a tax deduction and good PR from your donation if you want.”
Unfortunately, it’s not all good news: The group also operates a data leak site, which is currently distributing stolen data from victims compromised in the hack.
MalasLocker is an example of “hacktivist” malware.
Hacktivism involves compromising IT systems for ethical reasons. Obviously, it’s a controversial movement: Well-known hacktivist groups like Anonymous have grabbed headlines in recent years, but many of hacktivist techniques are destructive and problematic.
MalasLocker seems to choose victims randomly, and we have no evidence that their decryption “service” is safe to use.
The ransomware seems to use the Age encryption tool, which was developed by noted cryptographer Filippo Valsorda. The tool is fairly simple, but effective, and supports various encryption algorithms including HMAC-SHA256, X25519, and CharChar20-Poly1305.
In other words, decryption tools probably won’t be available anytime soon — but organizations can protect their data by using an up-to-date version of Zimbra. The encryption seems to target files writable by user Zimbra, and forum users report infections of various older releases up to Zimbra 9.0 Patch 8.8.15 – P36.
If you’re infected by MalasLocker, should you pay the “ransom?”
Many ransomware groups create decryption tools that pose additional security threats, and some decryptors may damage data. Paying for ransomware is often illegal — and while a charity donation certainly isn’t illegal, we would recommend working with cybersecurity experts to resolve a MalasLocker infection.
Remember, your goal isn’t to simply restore the lost emails: You’ll need to fully review your security controls to prevent future attacks.
If you’re building a ransomware recovery strategy, trust the experts. Datarecovery.com’s engineers have decades of combined experience with ransomware, and we’re here to help; to get started, call 1-800-237-4200 or submit a case online.
