This odd ransomware will target your business servers, but then ask for a donation to charity

ransomware avast
(Image credit: Avast)

Some hackers are in it for the money, while others are working for their governments, wreaking havoc and stealing data from opposing nations. But there is a small percentage of “hacktivists” - groups that don’t shy away from criminal activity, as long as it’s for a positive and socially acceptable goal.

One such group has recently been spotted targeting businesses’ Zimbra servers with ransomware. Instead of taking the ransom payment for themselves, they’re demanding victims make a donation to a charity of their choosing.

The group is called MalasLocker and seems to be from a Spanish-speaking country, as its data leak site, discovered by cybersecurity researcher from Emsisoft, Brett Callow, is titled "Somos malas... podemos ser peores," which is Spanish for "We are bad... we can be worse”. So far, the group is leaking sensitive data belonging to three breached organizations, as well as Zimbra configurations for 169 other victims.

MalasLocker

The group appears to have started its campaign in late March 2023, further stating that it’s yet unclear how they managed to compromise the Zimbra servers, if they discovered any zero-day vulnerabilities and developed any malware for it. 

Once they breach the servers and encrypt the files, they leave a ransom note with a unique message: "Unlike traditional ransomware groups, we're not asking you to send us money. We just dislike corporations and economic inequality," they say. "We simply ask that you make a donation to a non-profit that we approve of. It's a win-win, you can probably get a tax deduction and good PR from your donation if you want." 

The group’s leak site carries a similar message, but with a crucial difference:

"We're a new ransomware group that have been encrypting companies' computers to ask they donate money to whoever they want," it says. "We ask they make a donation to a nonprofit of their choice, and then save the email they get confirming the donation and send it to us so we can check the DKIM signature to make sure the email is real."

So far, there’s no confirmation the attackers really distribute the decryptor to the companies that make the payment.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.