A brand new ransomware operation is hacking Zimbra servers to steal emails and encrypt recordsdata. Nonetheless, as an alternative of demanding a ransom fee, the risk actors declare to require a donation to charity to offer an encryptor and forestall information leaking.
The ransomware operation, dubbed MalasLocker by BleepingComputer, started encrypting Zimbra servers in the direction of the tip of March 2023, with victims reporting in each the BleepingComputer and Zimbra boards that their emails had been encrypted.
Quite a few victims within the Zimbra boards report discovering suspicious JSP recordsdata uploaded to the /decide/zimbra/jetty_base/webapps/zimbra/ or /decide/zimbra/jetty/webapps/zimbra/public folders.
These recordsdata had been discovered below completely different names, together with data.jsp, noops.jsp, and heartbeat.jsp [VirusTotal]. Startup1_3.jsp [VirusTotal], which BleepingComputer discovered, is predicated on an open-source webshell.
When encrypting electronic mail messages, no additional file extension is appended to the file’s title. Nonetheless, safety researcher MalwareHunterTeam advised BleepingComputer that they append a “This file is encrypted, search for README.txt for decryption directions” message on the finish of each encrypted file.
It is unclear right now how the risk actors are breaching the Zimbra servers.
An uncommon ransom demand
The encryptor will even create ransom notes named README.txt that include an uncommon ransom demand to obtain a decryptor and forestall the leaking of stolen information: a donation to a non-profit charity that they “approve of.”
“In contrast to conventional ransomware teams, we’re not asking you to ship us cash. We simply dislike companies and financial inequality,” reads the MalasLocker ransom be aware.
“We merely ask that you simply make a donation to a non-profit that we approve of. It is a win-win, you’ll be able to most likely get a tax deduction and good PR out of your donation if you’d like.”
The ransom notes both comprise an electronic mail handle to contact the risk actors or a TOR URL that features probably the most present electronic mail handle for the group. The be aware additionally has a Base64 encoded textual content part on the backside that’s required to obtain a decryptor, which we are going to go into extra element later within the article.
Whereas the ransom notes don’t comprise a hyperlink to the ransomware gang’s information leak website, Emsisoft risk analyst Brett Callow discovered a hyperlink to their information leak website, having the title, “Somos malas… podemos ser peores,” translated to, “We’re unhealthy… we will be worse.”
The MalasLocker information leak website presently distributes the stolen information for 3 firms and the Zimbra configuration for 169 different victims.
The primary web page of the info leak website additionally incorporates a protracted emoji-filled message explaining what they stand for and the ransoms they require.
“We’re a brand new ransomware group which were encrypting firms’ computer systems to ask they donate cash to whoever they need,” reads the MalasLocker information leak website.
“We ask they make a donation to a nonprofit of their alternative, after which save the e-mail they get confirming the donation and ship it to us so we will test the DKIM signature to ensure the e-mail is actual.”
This ransom demand could be very uncommon and, if sincere, places the operation extra into the realm of hacktivism.
Nonetheless, BleepingComputer has but to find out if the risk actors are preserving their phrase when a sufferer donates cash to a charity for a decryptor.
Unusual Age encryption
BleepingComputer has not been capable of finding the encryptor for the MalasLocker operation. Nonetheless, the Base64 encoded block within the ransom be aware decodes to an Age encryption device header required to decrypt a sufferer’s non-public decryption key.
age-encryption.org/v1
-> X25519 GsrkJHxV7l4w2GPV56Ja/dtKGnqQFj/qUjnabYYqVWY
nkEmdfk4CojS5sTtDHR9OtzElaZ8B0+1iLtquHyh6Hg
-> .7PM/-grease {0DS )2D'y,c BA
l/tjxov1fa12V8Imj8SfQ27INLwEg+AC2lX3ou4N8HAjtmu9cPV6xLQ
--- 7bAeZFny0Xk7gqxscyeDGDbHjsCvAZ0aETUUhIsXnyg
The Age encryption device was developed by Filippo Valsorda, cryptographer and Go safety lead at Google, and makes use of the X25519 (an ECDH curve), ChaChar20-Poly1305, and HMAC-SHA256 algorithms.
That is an unusual encryption methodology, with only some ransomware operations utilizing it, and all of them not focusing on Home windows units.
The primary was AgeLocker, found in 2020 and the opposite was discovered by MalwareHunterTeam in August 2022, each focusing on QNAP units.
Moreover, the ransom notes from the QNAP marketing campaign and AgeLocker share related language, additional linking these two operations a minimum of.
Whereas this can be a weak hyperlink at finest, the focusing on of non-Home windows units and utilizing Age encryption by all of those ransomware operations may point out that they’re associated.