A recently emerged ransomware operation, known as MalasLocker, has targeted Zimbra servers to steal emails and encrypt files.
Uniquely, the Threat Actors behind this operation deviate from the traditional ransom demand and instead require victims to make a charitable donation to obtain the encryptor and prevent data leakage.
The malicious activities of MalasLocker commenced in late March 2023, when Zimbra servers became victims of encryption, resulting in the compromised state of emails for affected individuals.
In the Zimbra forums, numerous victims have reported discovering suspicious JSP files that were uploaded to either the /opt/zimbra/jetty_base/webapps/zimbra/ or /opt/zimbra/jetty/webapps/zimbra/public folders.
Multiple files were discovered during the investigation with distinct names, such as info.jsp, noops.jsp, heartbeat.jsp, and Startup1_3.jsp, which appears to be derived from an open-source webshell.
Notably, no additional file extension is added to the original file name when encrypting email messages. However, security researchers have observed that the threat actors append a message stating, “This file is encrypted, look for README.txt for decryption instructions” at the end of each encrypted file.
The method employed by the threat actors to compromise Zimbra servers remains unclear and requires further examination by security experts.
Hackers Demand Charity in Ransom
The encryptor used by MalasLocker generates ransom notes named README.txt, which contain an unconventional ransom demand: a donation to a specific non-profit charity approved by the threat actors in exchange for a decryptor and prevention of data leakage.
These ransom notes provide either an email address or a TOR URL, which includes the most up-to-date email address for the group, as contact information. At the bottom of the note, there is a section with Base64 encoded text that is essential for receiving the decryptor.
The MalasLocker data leak site is presently distributing stolen data from three companies and disclosing the Zimbra configuration of 169 other victims. The main page of the data leak site features a lengthy message filled with emojis, outlining their principles and the ransoms they demand.
This ransom demand is highly unusual and, if genuine, suggests that the operation falls more into the realm of hacktivism. However, whether the threat actors uphold their promise to provide a decryptor when a victim donates to the specified charity remains uncertain.
Unusual Age Encryption
Despite extensive research efforts, the encryptor for the MalasLocker operation remains elusive. However, the Base64 encoded section in the ransom note has been decoded to reveal an Age Encryption Tool header, which is crucial for decrypting a victim’s private decryption key.
The Age encryption tool, developed by Filippo Valsorda, a cryptographer and Go security lead at Google, employs X25519 (an ECDH curve), ChaCha20-Poly1305, and HMAC-SHA256 algorithms. This encryption method is uncommon, as only a few ransomware operations have utilized it, and notably, none have targeted Windows devices.
Interestingly, linguistic similarities between the ransom notes from the QNAP campaign and AgeLocker suggest a potential connection between these two operations.
Although this connection is tenuous, the shared traits of targeting non-Windows devices and employing Age encryption across these ransomware operations may indicate a relationship among them.
