HQ/EMEAFind out how we can help your business
A cybersecurity research group warns everyone regarding a novel cyber threat posed by the new MalasLocker ransomware operation.
According to reports, the ransomware operators claim that their ransom demands and earnings will land in the hands of any charity foundation. The actors prove these claims by advising their victim organisations to deduct their taxes and PR before paying the ransom.
The MalasLocker ransomware operation has been targeting Zimbra services for almost a few months. Several victims have reported these attacks on multiple forums since March.
Moreover, some reports claimed that the actors used encrypted email messages that did not have additional file extensions appended at the end. More reports also claimed that the encrypted file used by the attack’s actors displayed the phrase “the file is encrypted, look for README.txt for decryption instructions.”
Hence, the ransomware campaign drops a ransom note on the infected device to urge its victims to donate to any of the attacker-approved non-profit charities and send the confirmation to the attackers to verify.
The victims could communicate with the attackers through an email address or TOR site provided by the threat group in their ransom notes. Currently, the leak sites include Zimbra configurations for nearly 170 victims. Additionally, the group has also leaked stolen information from three of its victims.
The MalasLocker group could still hide their intrusion tactics against Zimbra servers.
Investigations could yet identify the intrusion method executed by the MalasLocker ransomware operations. However, the researchers have observed some details about its tactics.
Recent observations showed that several victims have uploaded JSP files to public Zimbra folders, ‘/opt/zimbra/jetty/webapps/zimbra/public’ or ‘/opt/zimbra/jetty_base/webapps/zimbra/.’
The actors uploaded these files with different names, like heartbeat[.], jsp, and noops[.]jsp, Startup1_3.jsp, and info[.]jsp. Furthermore, the ransomware group employs the Age encryption tool for its encryption mechanics.
Researchers explained that the actors used an uncommon encryption tactic, which was only used by the AgeLocker ransomware operation in July 2020.
Experts suggest that users should have proactive data security measures, such as the MalasLocker ransomware operation, since malicious entities continue targeting Zimbra servers using uncommon tactics. These proactive measures include the implementation of MFA and constant encryption and backing of critical data.
