A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking.
The ransomware operation, dubbed MalasLocker by BleepingComputer, began encrypting Zimbra servers towards the end of March 2023, with victims reporting in both the
BleepingComputer and
Zimbra forums that their emails were encrypted.
Numerous victims in the Zimbra forums report finding suspicious JSP files uploaded to the /opt/zimbra/jetty_base/webapps/zimbra/ or /opt/zimbra/jetty/webapps/zimbra/public folders.
These files were found under different names, including info.jsp, noops.jsp, and heartbeat.jsp [
VirusTotal]. Startup1_3.jsp [
VirusTotal], which BleepingComputer found, is based on an
open-source webshell.
