A Notorious MalasLocker Ransomware, which has been active since March 2023, targets Zimbra servers and demands charity donations instead of Ransom.
This group mostly targets corporate companies providing business services, software, and Manufacturing services around Italy, Russia, and the United States.
According to the SOC Radar report, they claim to have a distaste for corporate entities and economic inequality, and their deal is simple for decrypting the file to avoid data leakage.
Malas Ransomware Attack:
The threat actor targets the victims through phishing emails, where malicious JSP documents were sent to the users of Zimbra.
Zimbra is an open-source software suite primarily used by organizations for email hosting, event scheduling, task management, and file sharing.
These suspicious JSP files heartbeat.jsp, info.jsp, Startup1_3.jsp are uploaded to specific directories such as /opt/zimbra/jetty_base/webapps/zimbra/ or /opt/zimbra/jetty/webapps/zimbra/public folders
Once the user of Zimbra executes the malicious file, then the attacker will access the uploaded file from the public directory of Zimbra for further operation.
In addition to that, threat actors utilize the vulnerabilities associated with Zimbra servers such as CVE-2022-27924 (Zimbra memcache command injection), CVE-2022-27925 (Zimbra admin directory traversal), CVE-2022-30333 (UnRAR Linux/UNIX directory traversal), and CVE-2022-37042 (Zimbra auth bypass, remote code execution).
The group uses the “AGE” encryption tool for encrypting the files and does not append any extensions to the files, reads the report.
They host a TOR website where they posted the list of 160 victims affected by Malas ransomware and censored the image of the company’s name for confidentiality purposes.
From the welcome greeting on their TOR website, it is clear that they are a Spanish-based threat group with a motto written in Spanish like “we are bad… we can be even worse.”
The ransom note in the Readme.txt demands charity donations for sending the decryptor tools and also guides how to reach them by providing their contact details.
Prevention:
Unlike other threat groups,malas ransomware is unique in its tactics and techniques. Since their attack on the MalasLocker Ransomware vector is unclear and targets the Zimbra server, the better practice to avoid the attack is to patch the application and update it to the latest version.
Source: https://cybersecuritynews.com/malaslocker-ransomware-zimbra/