Table of Contents
MalasLocker is a relatively new ransomware operation that has emerged as a significant threat, particularly to organizations utilizing Zimbra collaboration servers. Unlike traditional ransomware groups that demand cryptocurrency payments, MalasLocker initially distinguished itself by requesting victims to make donations to approved charities. This atypical approach, coupled with the group's stated anti-corporate and anti-inequality motivations, positions MalasLocker within a growing trend of hacktivist-influenced ransomware campaigns. While the group claims to offer decryption services after proof of donation, the reliability of this promise is unconfirmed, and the threat of data leakage remains a significant concern. This article delves into the origins, tactics, targets, and defenses associated with MalasLocker, providing security professionals with a comprehensive understanding of this evolving threat. Understanding threat intelligence is very important for security porfessionals.
Origins & Evolution
MalasLocker first came to light in late March/early April 2023, with reports of compromised Zimbra servers and encrypted files surfacing on online forums. The name "MalasLocker" derives from the Spanish phrase "Somos malas... podemos ser peores" ("We are bad... We could be worse"), found on their extortion website and within their email address. This phrase hints at their self-proclaimed malicious intent and potential for escalation.
Early in their operations, MalasLocker took an aggressive stance, publicly listing victims and even releasing server configurations for a large number of "defaulters." This public shaming tactic is less common in the early stages of ransomware operations, suggesting a desire for notoriety or a more ideological motivation.
Researcher Germán Fernández has suggested a possible link between MalasLocker and the hacktivist group Guacamaya, a Central American group known for its anti-corporate and environmental activism. It's critical to emphasize that this connection is currently speculative and requires further investigation. If confirmed, this link would represent a significant development, highlighting the potential for hacktivist groups to adopt ransomware tactics for ideological or political purposes.
The group's initial demand for charitable donations, instead of direct payments, further supports the possibility of a hacktivist angle. However, more recent reports indicate that MalasLocker is shifting its demanding strategy, and the exact nature of this change is still unclear. This evolution suggests that the group is adapting its tactics, possibly in response to law enforcement scrutiny, difficulties in monetizing their operations, or a change in their overall goals.
Tactics & Techniques
MalasLocker's operations combine typical ransomware tactics with some unique elements. Their primary attack vector focuses on exploiting vulnerabilities in Zimbra Collaboration Suite (ZCS), a widely used open-source email and collaboration platform. Understanding the OWASP top 10 is important to address the vulnerabilities.
Key Attack Stages:
Initial Access: MalasLocker gains initial access primarily by exploiting vulnerabilities in Zimbra servers. They have been observed uploading malicious JavaServer Pages (.jsp) files, acting as reverse shells, to Zimbra directories (e.g.,
/opt/zimbra/jetty_base/webapps/zimbra/). Specific files identified includeheartbeat.jsp,info.jsp, andnoops.jsp. These files were found in victim logs as early as February 2023, indicating a period of reconnaissance and preparation before launching encryption attacks. They may also use phishing emails with malicious JSP attachments. To prevent phishing attacks, users need to be aware.Vulnerability Exploitation: MalasLocker has been known to exploit several Zimbra vulnerabilities, including:
CVE-2022-24682: A vulnerability in Zimbra's Calendar feature allowing remote code execution.
CVE-2022-27924: Zimbra memcache command injection.
CVE-2022-27925: Zimbra admin directory traversal.
CVE-2022-30333: UnRAR Linux/UNIX directory traversal.
CVE-2022-37042: Zimbra auth bypass and remote code execution.
It's important to note that while these vulnerabilities are likely targets, specific exploitation in every MalasLocker attack is not definitively confirmed.
Reconnaissance: The group has been observed using the open-source web fuzzing tool FFuf (Fuzz Faster U Fool) for reconnaissance, likely to identify vulnerable Zimbra instances. Amass also can be used for reconnaissance.
Lateral Movement: Once inside a network, MalasLocker likely attempts to move laterally to identify and compromise additional systems and data.
Data Exfiltration: Before encrypting files, MalasLocker exfiltrates data, particularly emails, from compromised Zimbra servers. This data is then used as leverage for extortion, threatening public release if the "donation" is not made. Data brokers can be the target to exfiltrate data.
Encryption: MalasLocker employs the "age" encryption tool, developed by Google's Go security lead, Filippo Valsorda. This tool is less common in ransomware attacks and utilizes strong cryptographic algorithms, including X25519, ChaChar20-Poly1305, and HMAC-SHA256. The ransomware doesn't add a specific file extension but appends a message to each encrypted file: "This file is encrypted, look for README.txt for decryption instructions." Symmetric and asymmetric encryption helps to protect our data.
Ransom Note (README.txt): The ransom note contains instructions for contacting the attackers (email or TOR URL) and a Base64 encoded block. This block is crucial for decryption, as it contains the header information needed by the "age" decryption tool, ultimately decoding to a private decryption key.
Extortion: Initially, MalasLocker demanded that victims make a donation to a charity approved by the group. The specific charities are unknown, and the amount is reportedly determined by the victim's financial capabilities and the sensitivity of the stolen data. They threaten to publish stolen data on their leak site if the donation is not made within a specified timeframe. However, recent reports suggest a change in their demands, though the specifics remain unclear.
MITRE ATT&CK Techniques:
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application |
| T1566 | Phishing | |
| Execution | T1204.002 | User Execution: Malicious File |
| T1059.007 | Command and Scripting Interpreter: JavaScript | |
| Persistence | T1505 | Server Software Component |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Credential Access | T1552 | Unsecured Credentials |
| Discovery | T1082 | System Information Discovery |
| Collection | T1213 | Data from Information Repositories |
| Command and Control | - | - |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Impact | T1486 | Data Encrypted for Impact |
Targets or Victimology
MalasLocker's targeting strategy appears to be somewhat opportunistic, focusing primarily on organizations utilizing Zimbra servers, regardless of their specific industry or geographic location. However, analysis of their victims reveals some patterns:
Primary Target: Zimbra servers are the primary and defining target. This focus suggests an understanding of Zimbra vulnerabilities and a capability to exploit them effectively.
Geographic Distribution: Victims have been reported across various regions, including:
Europe (with a high concentration in Italy)
Russia (surprisingly, given their stated anti-corporate stance)
United States
Other regions, including Asia and South America
Industry Distribution: While seemingly indiscriminate, there's a notable presence of victims in:
Professional, Scientific, and Technical Services
Manufacturing
Retail Trade
Information
Government and Education (impact on public services)
Healthcare (sensitive patient data)
Data Leak Site Victims: As of mid-May 2023, MalasLocker's data leak site listed 173 victims, including three companies whose data had been fully published and 169 "defaulters" with leaked Zimbra server configurations.
Stated Targeting Philosophy: The group claims they won't target companies in Africa, Latin America, and other colonized countries (with some exceptions for large foreign investors or "shitty industries"). They state they will target small companies in the U.S., Russia and Europe “excluding Ukraine as they’re dealing with enough shit at the moment.”
The targeting of Zimbra servers, a widely used platform across various sectors, indicates a broad potential impact. The group's stated targeting philosophy, while potentially a facade, adds a layer of complexity to their motivations.
Attack Campaigns
Several notable attack campaigns have been attributed to MalasLocker:
Early Attacks (March-April 2023): Reports emerged on forums like BleepingComputer and Zimbra forums about compromised Zimbra servers and ransomware issues. These early attacks established MalasLocker's presence and revealed their core tactics.
Public Listing of Victims (April 9, 2023): MalasLocker publicly listed 169 "defaulters" and three other organizations on their data leak site, demonstrating their aggressive approach and willingness to publicly shame victims.
Harita Group Hack: MalasLocker claimed responsibility for hacking the Harita Group, an Indonesian mining and natural resource extraction conglomerate, exfiltrating 510 GB of data. They justified this attack by accusing the company of environmental damage.
Attacks on Italian Municipalities, US Healthcare Providers, and Russian Educational Institutions: These attacks, though not detailed in a single campaign, demonstrate the real-world impact on various sectors and regions.
Possible Connection to Blue Yonder Attack: The attack that brought Termite to prominence occurred in November 2024, when it targeted Blue Yonder, a major provider of supply chain management solutions. MalasLocker might have used the similar method to Termite to attack Blue Yonder. A supply chain attack can impact any organization.
These campaigns, while not exhaustive, illustrate the scope and impact of MalasLocker's operations. The focus on Zimbra servers and the use of data exfiltration as leverage are consistent themes.
Defenses
Protecting against MalasLocker, and ransomware in general, requires a multi-layered security approach focusing on prevention, detection, and response.
Generic Ransomware Defense Strategies:
Regular Backups: Implement a robust backup strategy, including offline backups, to ensure data recovery in case of encryption.
Patching and Vulnerability Management: Keep all software, especially operating systems and applications like Zimbra, up-to-date with the latest security patches.
Strong Passwords and Multi-Factor Authentication (MFA): Enforce strong, unique passwords and implement MFA for all user accounts, especially those with administrative privileges. Consider passwordless authentication.
Network Segmentation: Segment the network to limit the lateral movement of attackers in case of a breach.
Email Security: Implement robust email security measures, including spam filtering, attachment scanning, and user training to recognize and avoid phishing attempts.
Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor endpoint activity and detect malicious behavior.
Intrusion Detection/Prevention Systems (IDS/IPS): Utilize IDS/IPS to monitor network traffic for suspicious activity.
Security Awareness Training: Educate users about ransomware threats, phishing techniques, and safe online practices.
Incident Response Plan: Develop and regularly test an incident response plan to ensure a coordinated and effective response to a ransomware attack.
Specific Defenses Against MalasLocker:
Zimbra Security:
Upgrade Zimbra: Ensure Zimbra installations are running the latest patched versions, specifically addressing vulnerabilities like CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, CVE-2022-30333, and CVE-2022-37042.
Monitor for Suspicious JSP Files: Regularly check Zimbra directories (e.g.,
/opt/zimbra/jetty_base/webapps/zimbra/) for the presence of suspicious JSP files likeheartbeat.jsp,info.jsp, andnoops.jsp.Web Application Firewall (WAF): Implement a WAF to filter malicious traffic and protect against web-based attacks.
Zimbra-Specific Security Guidance: Follow security best practices and recommendations provided by Zimbra and cybersecurity experts.
Monitor for FFuf Activity: Be aware of the potential use of FFuf for reconnaissance and monitor network traffic for unusual activity associated with this tool. Security logging and monitoring is crucial for preventing FFuf activity.
Conclusion
MalasLocker ransomware represents a unique and evolving threat, combining traditional ransomware tactics with an atypical demand for charitable donations and a stated anti-corporate ideology. Their focus on exploiting vulnerabilities in Zimbra servers makes them a particular concern for organizations utilizing this platform. While the group's claimed motivations and the reliability of their decryption services remain uncertain, the threat of data exfiltration and the potential for operational disruption are very real. By understanding MalasLocker's origins, tactics, and targets, and by implementing robust security measures, organizations can significantly reduce their risk of falling victim to this and similar ransomware threats. Continuous monitoring, proactive patching, and user education are crucial components of a comprehensive defense strategy against the ever-evolving landscape of cybercrime. To response against the cybercrime you can use the SOAR platform.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
• How to Fix CVE-2021-41352- A Critical RCE Vulnerability In Zimbra Mail Servers
• AI-Driven Ransomware FunkSec Targets 85 Victims in December 2024
• Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- March 15, 2025
- March 15, 2025
- March 15, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- March 15, 2025
- March 15, 2025
- March 15, 2025
