threat-analysis

MalasLocker is a novel ransomware operation that has been active since the end of March 2023. It targets Zimbra servers, exfiltrating email data and encrypting files. Unlike traditional ransomware, MalasLocker doesn’t demand a direct ransom payment but requires the victim to make a donation to an approved non-profit charity. They claim to be a group that dislikes corporations and economic inequality. The victim is asked to save the email confirming the donation and send it back to the group, who then checks the DKIM signature to confirm the email’s authenticity. This unique demand positions the operation more in the realm of hacktivism, although it is yet to be determined if the threat actors keep their word when a victim donates money to a charity for a decryptor.

When encrypting email messages, MalasLocker does not append an extra file extension to the file’s name. However, they append a message stating, “This file is encrypted, look for README.txt for decryption instructions,” which is at the end of every encrypted file. The README.txt files are ransom notes that contain either an email address to contact the threat actors or a TOR URL that includes the most current email address for the group. The ransom note also has a Base64 encoded text section at the bottom that is required to receive a decryptor. Some victims reported finding suspicious JSP files uploaded to certain directories of their Zimbra servers. These files, including ones named info.jsp, noops.jsp, and heartbeat.jsp, are suspected to be related to the ransomware operation.

Schedule a virtual consult with the threat intel experts at DeepSeas 

Interestingly, the ransom note includes a reference to the Age encryption tool, which is an uncommon method of encryption. The Base64 encoded block in the ransom note decodes to an Age encryption tool header, which is required to decrypt a victim’s private decryption key.

The MalasLocker operation also maintains a data leak site where they distribute stolen data from their victims. As of the latest reports, data from three companies and the Zimbra configurations of 169 other victims have been distributed on this site.