Table of Contents
March 15, 2025
|
10m

MalasLocker Ransomware


A metallic digital vault with a large glowing yellow question mark on its black screen, symbolizing encrypted or unknown data.

MalasLocker is a relatively new ransomware operation that has emerged as a significant threat, particularly to organizations utilizing Zimbra collaboration servers. Unlike traditional ransomware groups that demand cryptocurrency payments, MalasLocker initially distinguished itself by requesting victims to make donations to approved charities. This atypical approach, coupled with the group's stated anti-corporate and anti-inequality motivations, positions MalasLocker within a growing trend of hacktivist-influenced ransomware campaigns. While the group claims to offer decryption services after proof of donation, the reliability of this promise is unconfirmed, and the threat of data leakage remains a significant concern. This article delves into the origins, tactics, targets, and defenses associated with MalasLocker, providing security professionals with a comprehensive understanding of this evolving threat. Understanding threat intelligence is very important for security porfessionals.

Origins & Evolution

MalasLocker first came to light in late March/early April 2023, with reports of compromised Zimbra servers and encrypted files surfacing on online forums. The name "MalasLocker" derives from the Spanish phrase "Somos malas... podemos ser peores" ("We are bad... We could be worse"), found on their extortion website and within their email address. This phrase hints at their self-proclaimed malicious intent and potential for escalation.

Early in their operations, MalasLocker took an aggressive stance, publicly listing victims and even releasing server configurations for a large number of "defaulters." This public shaming tactic is less common in the early stages of ransomware operations, suggesting a desire for notoriety or a more ideological motivation.

Researcher Germán Fernández has suggested a possible link between MalasLocker and the hacktivist group Guacamaya, a Central American group known for its anti-corporate and environmental activism. It's critical to emphasize that this connection is currently speculative and requires further investigation. If confirmed, this link would represent a significant development, highlighting the potential for hacktivist groups to adopt ransomware tactics for ideological or political purposes.

The group's initial demand for charitable donations, instead of direct payments, further supports the possibility of a hacktivist angle. However, more recent reports indicate that MalasLocker is shifting its demanding strategy, and the exact nature of this change is still unclear. This evolution suggests that the group is adapting its tactics, possibly in response to law enforcement scrutiny, difficulties in monetizing their operations, or a change in their overall goals.

Tactics & Techniques

MalasLocker's operations combine typical ransomware tactics with some unique elements. Their primary attack vector focuses on exploiting vulnerabilities in Zimbra Collaboration Suite (ZCS), a widely used open-source email and collaboration platform. Understanding the OWASP top 10 is important to address the vulnerabilities.

Key Attack Stages:

  • Initial Access: MalasLocker gains initial access primarily by exploiting vulnerabilities in Zimbra servers. They have been observed uploading malicious JavaServer Pages (.jsp) files, acting as reverse shells, to Zimbra directories (e.g., /opt/zimbra/jetty_base/webapps/zimbra/). Specific files identified include heartbeat.jspinfo.jsp, and noops.jsp. These files were found in victim logs as early as February 2023, indicating a period of reconnaissance and preparation before launching encryption attacks. They may also use phishing emails with malicious JSP attachments. To prevent phishing attacks, users need to be aware.

  • Vulnerability Exploitation: MalasLocker has been known to exploit several Zimbra vulnerabilities, including:

    • CVE-2022-24682: A vulnerability in Zimbra's Calendar feature allowing remote code execution.

    • CVE-2022-27924: Zimbra memcache command injection.

    • CVE-2022-27925: Zimbra admin directory traversal.

    • CVE-2022-30333: UnRAR Linux/UNIX directory traversal.

    • CVE-2022-37042: Zimbra auth bypass and remote code execution.

    • It's important to note that while these vulnerabilities are likely targets, specific exploitation in every MalasLocker attack is not definitively confirmed.

  • Reconnaissance: The group has been observed using the open-source web fuzzing tool FFuf (Fuzz Faster U Fool) for reconnaissance, likely to identify vulnerable Zimbra instances. Amass also can be used for reconnaissance.

  • Lateral Movement: Once inside a network, MalasLocker likely attempts to move laterally to identify and compromise additional systems and data.

  • Data Exfiltration: Before encrypting files, MalasLocker exfiltrates data, particularly emails, from compromised Zimbra servers. This data is then used as leverage for extortion, threatening public release if the "donation" is not made. Data brokers can be the target to exfiltrate data.

  • Encryption: MalasLocker employs the "age" encryption tool, developed by Google's Go security lead, Filippo Valsorda. This tool is less common in ransomware attacks and utilizes strong cryptographic algorithms, including X25519, ChaChar20-Poly1305, and HMAC-SHA256. The ransomware doesn't add a specific file extension but appends a message to each encrypted file: "This file is encrypted, look for README.txt for decryption instructions." Symmetric and asymmetric encryption helps to protect our data.

  • Ransom Note (README.txt): The ransom note contains instructions for contacting the attackers (email or TOR URL) and a Base64 encoded block. This block is crucial for decryption, as it contains the header information needed by the "age" decryption tool, ultimately decoding to a private decryption key.

  • Extortion: Initially, MalasLocker demanded that victims make a donation to a charity approved by the group. The specific charities are unknown, and the amount is reportedly determined by the victim's financial capabilities and the sensitivity of the stolen data. They threaten to publish stolen data on their leak site if the donation is not made within a specified timeframe. However, recent reports suggest a change in their demands, though the specifics remain unclear.

MITRE ATT&CK Techniques:

Tactic Technique ID Technique Name
Initial Access T1190 Exploit Public-Facing Application
T1566 Phishing
Execution T1204.002 User Execution: Malicious File
T1059.007 Command and Scripting Interpreter: JavaScript
Persistence T1505 Server Software Component
Privilege Escalation T1068 Exploitation for Privilege Escalation
Defense Evasion T1027 Obfuscated Files or Information
Credential Access T1552 Unsecured Credentials
Discovery T1082 System Information Discovery
Collection T1213 Data from Information Repositories
Command and Control - -
Exfiltration T1041 Exfiltration Over C2 Channel
Impact T1486 Data Encrypted for Impact

Targets or Victimology

MalasLocker's targeting strategy appears to be somewhat opportunistic, focusing primarily on organizations utilizing Zimbra servers, regardless of their specific industry or geographic location. However, analysis of their victims reveals some patterns:

  • Primary Target: Zimbra servers are the primary and defining target. This focus suggests an understanding of Zimbra vulnerabilities and a capability to exploit them effectively.

  • Geographic Distribution: Victims have been reported across various regions, including:

    • Europe (with a high concentration in Italy)

    • Russia (surprisingly, given their stated anti-corporate stance)

    • United States

    • Other regions, including Asia and South America

  • Industry Distribution: While seemingly indiscriminate, there's a notable presence of victims in:

    • Professional, Scientific, and Technical Services

    • Manufacturing

    • Retail Trade

    • Information

    • Government and Education (impact on public services)

    • Healthcare (sensitive patient data)

  • Data Leak Site Victims: As of mid-May 2023, MalasLocker's data leak site listed 173 victims, including three companies whose data had been fully published and 169 "defaulters" with leaked Zimbra server configurations.

  • Stated Targeting Philosophy: The group claims they won't target companies in Africa, Latin America, and other colonized countries (with some exceptions for large foreign investors or "shitty industries"). They state they will target small companies in the U.S., Russia and Europe “excluding Ukraine as they’re dealing with enough shit at the moment.”

The targeting of Zimbra servers, a widely used platform across various sectors, indicates a broad potential impact. The group's stated targeting philosophy, while potentially a facade, adds a layer of complexity to their motivations.

Attack Campaigns

Several notable attack campaigns have been attributed to MalasLocker:

  1. Early Attacks (March-April 2023): Reports emerged on forums like BleepingComputer and Zimbra forums about compromised Zimbra servers and ransomware issues. These early attacks established MalasLocker's presence and revealed their core tactics.

  2. Public Listing of Victims (April 9, 2023): MalasLocker publicly listed 169 "defaulters" and three other organizations on their data leak site, demonstrating their aggressive approach and willingness to publicly shame victims.

  3. Harita Group Hack: MalasLocker claimed responsibility for hacking the Harita Group, an Indonesian mining and natural resource extraction conglomerate, exfiltrating 510 GB of data. They justified this attack by accusing the company of environmental damage.

  4. Attacks on Italian Municipalities, US Healthcare Providers, and Russian Educational Institutions: These attacks, though not detailed in a single campaign, demonstrate the real-world impact on various sectors and regions.

  5. Possible Connection to Blue Yonder Attack: The attack that brought Termite to prominence occurred in November 2024, when it targeted Blue Yonder, a major provider of supply chain management solutions. MalasLocker might have used the similar method to Termite to attack Blue Yonder. A supply chain attack can impact any organization.

These campaigns, while not exhaustive, illustrate the scope and impact of MalasLocker's operations. The focus on Zimbra servers and the use of data exfiltration as leverage are consistent themes.

Defenses

Protecting against MalasLocker, and ransomware in general, requires a multi-layered security approach focusing on prevention, detection, and response.

Generic Ransomware Defense Strategies:

  • Regular Backups: Implement a robust backup strategy, including offline backups, to ensure data recovery in case of encryption.

  • Patching and Vulnerability Management: Keep all software, especially operating systems and applications like Zimbra, up-to-date with the latest security patches.

  • Strong Passwords and Multi-Factor Authentication (MFA): Enforce strong, unique passwords and implement MFA for all user accounts, especially those with administrative privileges. Consider passwordless authentication.

  • Network Segmentation: Segment the network to limit the lateral movement of attackers in case of a breach.

  • Email Security: Implement robust email security measures, including spam filtering, attachment scanning, and user training to recognize and avoid phishing attempts.

  • Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor endpoint activity and detect malicious behavior.

  • Intrusion Detection/Prevention Systems (IDS/IPS): Utilize IDS/IPS to monitor network traffic for suspicious activity.

  • Security Awareness Training: Educate users about ransomware threats, phishing techniques, and safe online practices.

  • Incident Response Plan: Develop and regularly test an incident response plan to ensure a coordinated and effective response to a ransomware attack.

Specific Defenses Against MalasLocker:

  • Zimbra Security:

    • Upgrade Zimbra: Ensure Zimbra installations are running the latest patched versions, specifically addressing vulnerabilities like CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, CVE-2022-30333, and CVE-2022-37042.

    • Monitor for Suspicious JSP Files: Regularly check Zimbra directories (e.g., /opt/zimbra/jetty_base/webapps/zimbra/) for the presence of suspicious JSP files like heartbeat.jspinfo.jsp, and noops.jsp.

    • Web Application Firewall (WAF): Implement a WAF to filter malicious traffic and protect against web-based attacks.

    • Zimbra-Specific Security Guidance: Follow security best practices and recommendations provided by Zimbra and cybersecurity experts.

  • Monitor for FFuf Activity: Be aware of the potential use of FFuf for reconnaissance and monitor network traffic for unusual activity associated with this tool. Security logging and monitoring is crucial for preventing FFuf activity.

Conclusion

MalasLocker ransomware represents a unique and evolving threat, combining traditional ransomware tactics with an atypical demand for charitable donations and a stated anti-corporate ideology. Their focus on exploiting vulnerabilities in Zimbra servers makes them a particular concern for organizations utilizing this platform. While the group's claimed motivations and the reliability of their decryption services remain uncertain, the threat of data exfiltration and the potential for operational disruption are very real. By understanding MalasLocker's origins, tactics, and targets, and by implementing robust security measures, organizations can significantly reduce their risk of falling victim to this and similar ransomware threats. Continuous monitoring, proactive patching, and user education are crucial components of a comprehensive defense strategy against the ever-evolving landscape of cybercrime. To response against the cybercrime you can use the SOAR platform.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive tips like this.

You may also like these articles:

• How to Fix CVE-2021-41352- A Critical RCE Vulnerability In Zimbra Mail Servers

• FunkSec Ransomware

• AI-Driven Ransomware FunkSec Targets 85 Victims in December 2024

• Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime

• How To Fix CVE-2022-30333- A Path Traversal Vulnerability In Unrar Let Attackers To Hack Zimbra Mail Servers

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Threats

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe