Heloise Montini
Heloise Montini is a content writer whose background in journalism make her an asset when researching and writing tech content. Also, her personal aspirations in creative writing and PC gaming make her articles on data storage and data recovery accessible for a wide audience.
Laura Pompeu
With 10 years of experience in journalism, SEO & digital marketing, Laura Pompeu uses her skills and experience to manage (and sometimes write) content focused on technology and business strategies.
Bogdan Glushko
CEO at SalvageData Recovery, Bogdan Glushko has over 18 years of experience in high-security data recovery. Over the years, he's been able to help restore data after logical errors, physical failures, or even ransomware attacks, for individuals, businesses, and government agencies alike.
I think there's an issue with my storage device, but I'm not sure Start a free evaluation →
I need help getting my data back right now Call now (800) 972-3282
MalasLocker is a new ransomware group that emerged in March 2023 and targets vulnerabilities on Zimbra servers. The group uses Age encryption, which is an uncommon encryption technique developed by Filippo Valsorda, a renowned cryptographer.
The ransom note left by MalasLocker demands an unusual ransom: instead of a monetary payment, victims are requested to donate to any of the approved non-profit charities and send the confirmation email to the attackers for verification purposes. Also, the hacker group manifesto claims that they do not attack Latin American countries.
The group has compiled a list of 169 victims whom they categorized as “Defaulters” and threatens to leak the data if the demands are not met. MalasLocker seems to choose victims randomly, and there is no evidence that their decryption “service” is safe to use.
FAQ: If it’s for charity, is it safe to follow the instructions in the ransom note to get the data decrypted?
While forcing victims to donate money to non-profits may seem like a charitable Robin Hood-esque modus operandi, complying with the threat actor’s demands carries the same risks as any other ransomware: there’s no guarantee of a successful decryption or that data won’t be leaked, ransomware attacks are still criminal and complying to their demands does support their activities, there are still potential legal implications and ethical considerations.
SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against ransomware attacks. And, in case of a MalasLocker ransomware attack, contact our ransomware recovery experts immediately.
What kind of malware is MalasLocker?
MalasLocker is ransomware, which is a type of malware that encrypts and locks the victims’ files and then requests a ransom in exchange for the decryption key.
The group gains access to servers by sending phishing emails with malicious JSP documents to the users of Zimbra. Once the server is breached, MalasLocker encrypts the data using AGE encryption.
AGE encryption is a modern file encryption tool that was developed by Filippo Valsorda, a renowned cryptographer and Go security lead at Google. Overall, Age encryption is a simple, modern, and secure file encryption tool that provides a means to protect sensitive data from unauthorized access. MalasLocker using AGE encryption is unusual since ransomware usually uses a mix of symmetric and asymmetric encryption algorithms.
Everything we know about MalasLocker Ransomware
Confirmed Name
- MalasLocker virus
Threat Type
- Ransomware
- Crypto Virus
- Files locker
- Double extortion
Encrypted Files Extension
- None. Instead of adding a new file extension for encrypted files, MalasLoker ransomware adds the message: “This file is encrypted, look for README.txt for decryption instructions” to each encrypted file.
Ransom Demanding Message
- README.txt
Is There a Free Decryptor Available?
No, MalasLocker ransomware does not have a decryptor
Detection Names
- Avast Other:Malware-gen [Trj]
- AVG Other:Malware-gen [Trj]
- Emsisoft Trojan.JSP.Agent.D (B)
- Kaspersky HEUR:Backdoor.Java.JSP.gen
- Microsoft Trojan:Java/Malgent!MSR
Ransomware family, type & variant
- MalasLocker is a ransomware family
Distribution methods
- Vulnerability in Zimbra servers
- Phishing emails
Consequences
- Files are encrypted and locked until the ransom payment
- Data leak
MalasLocker ransomware IOCs
- Encrypted files
- Suspicious JSP files
- A ransom note named README.txt on the infected machine
How to find MalasLocker ransomware ransom note
MalasLocker demands a donation to a non-profit charity of their choice on the ransom note. This unusual ransom gave MalasLocker actors the moniker of “Robin Hood”. However, victims of MalasLocker should not fall for their pretenses of charity since there’s no evidence they actually donated the ransom. Donating to the non-profit charities demanded by MalasLocker ransomware carries certain risks, including lack of guarantee, supporting criminal activities, potential legal implications, data leakage, and ethical considerations.
The ransom note provides the email address of the attacker or a TOR site link showing the most recent email address to contact the attackers. It also threatens to leak the data if the demands are not met.
This is a sample of the MalasLocker ransom note:
How does MalasLocker infect a system
MalasLocker ransomware infects a system by breaching Zimbra servers. Victims have reported finding suspicious JSP files on infected servers. It is believed that MalasLocker targets Zimbra servers through phishing emails, where malicious JSP documents are sent to the users of Zimbra.
How does MalasLocker ransomware work
Once the system is compromised, MalasLocker encrypts emails and files using the Age encryption tool. Age encryption utilizes advanced algorithms such as X25519 (ECDH curve), ChaCha20-Poly1305, and HMAC-SHA2562. This encryption method is rarely utilized by ransomware operations, making MalasLocker unique in its approachIt is important to note that MalasLocker specifically targets non-Windows systems, such as Zimbra servers. The group presents itself as a “hacktivist” ransomware variant, aiming to exfiltrate sensitive emails and encrypt files. However, there is no evidence to support the safety or effectiveness of their decryption “service”.
Contacting a ransomware removal service can not only restore your files but also remove any potential threat.
How to handle a MalasLocker ransomware attack
Important: The first step after identifying MalasLocker IOCs is to resort to your Incident Response Plan (IRP). Ideally, you have an Incident Response Retainer (IRR) with a trusted team of professionals that can be contacted 24/7/365, and they can take immediate action that will prevent data loss and help you through any legal liabilities.
To the best of our knowledge with the information we have at the time this article is published, the first step that a team of ransomware recovery experts would take is to isolate the infected computer by removing any connected device.
Simultaneously this team will assist you in contacting your country’s local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).
To report a ransomware attack you must gather every information you can about it, including:
- Screenshots of the ransom note
- Communications with threat actors (if you have them)
- A sample of an encrypted file
However, if you prefer to contact professionals, then do nothing. Leave every infected machine the way it’s and ask for an emergency ransomware removal service. Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.
However, if you don’t have an IRP or IRR, you can still contact ransomware removal and recovery professionals. This is the best course of action and greatly increases the chances of successfully removing the ransomware, restoring the data, and preventing future attacks. We recommend that you leave every infected machine as they are and call an emergency ransomware recovery service.
1. Contact your Incident Response provider
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
If you contact your IR service provider, then they will take care of everything else. However, if you decide to remove the ransomware and recover the files with your IT team, then you can follow the next steps.
2. Identify the ransomware infection
You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), using a ransomware ID tool, or it will be on the ransom note. With this information, you can look for a public decryption key.
You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.
3. Remove the ransomware and eliminate exploit kits
Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.
4. Use a backup to restore the data
Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.
5. Contact a ransomware recovery service
If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, you should contact a data recovery service. Complying with the demands of threat actors does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.
SalvageData experts can safely restore your files and prevent MalasLocker ransomware from attacking your network again.
Contact our experts 24/7 for emergency recovery service.
Prevent the MalasLocker ransomware attack
Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. MalasLocker ransomware can cost your business’s future and even close its doors.
These are a few tips to ensure you can avoid ransomware attacks:
- Install antivirus and anti-malware software.
- Employ reliable cybersecurity solutions.
- Utilize strong and secure passwords.
- Keep software and operating systems up to date.
- Implement firewalls for added protection.
- Create a data recovery plan.
- Regularly schedule backups to safeguard your data.
