1. Overview
MalasLocker is a relatively new ransomware and data extortion group first observed in 2023. Unlike traditional financially motivated threat actors, MalasLocker operates with an unusual extortion model: instead of demanding ransom payments in cryptocurrency, victims are instructed to donate to a selected charity and provide proof of their donation to recover their data.
The group targets publicly exposed infrastructure, primarily focusing on email servers running the Zimbra Collaboration Suite. Its operations are opportunistic, technical in execution, and ideologically ambiguous. MalasLocker combines ransomware-style encryption with data theft and selective public leaks via a minimalist dark web portal.
2. Origin and Evolution
MalasLocker appeared in mid-2023 and immediately drew attention for its non-standard ransom demands. The group quickly focused on exploiting known vulnerabilities in Zimbra email servers, particularly in organisations that had not patched against previously disclosed flaws.
Since its emergence, MalasLocker has expanded its campaign to include a variety of small to mid-sized businesses, government entities, and educational institutions. The group has been linked to incidents in Europe, North America, and Asia, and its unusual extortion model has prompted both media coverage and scrutiny from threat researchers.
The group’s name derives from its messaging, which includes phrases such as “Somos malas… podemos ser peores” (“We are bad… we can be worse”), suggesting either Spanish-speaking operators or an effort to present a particular cultural or ideological identity.
3. Tactics, Techniques, and Procedures (TTPs)
MalasLocker attacks are characterised by targeted exploitation, data theft, and partial encryption. The group’s typical attack lifecycle includes:
- Initial access
Exploits known vulnerabilities in Zimbra Collaboration Suite (T1190), particularly webmail interfaces with exposed administration panels or insecure configurations. - Credential access and lateral movement
Uses harvested credentials and exploits weak authentication setups to gain further access (T1078, T1021). Evidence suggests the group rarely uses advanced malware, instead relying on built-in system tools. - Data exfiltration
Extracts emails, attachments, and address books, often focusing on sensitive correspondence or business-critical information (T1041). - Encryption
Selectively encrypts mail directories, appending a unique extension and leaving ransom notes instructing victims to donate to charities. Unlike most groups, MalasLocker does not demand payment in cryptocurrency. - Extortion
Victims are told to make a donation to a charity of their choice and submit proof, including the recipient, amount, and donation reference, to receive the decryption key. The group offers public verification and has a leak site where data from non-compliant victims is published.
4. Targeting Profile
MalasLocker’s targeting strategy appears opportunistic, focusing on publicly exposed Zimbra email servers. Affected sectors include:
- Local government organisations
- Small to medium-sized businesses
- Educational institutions and universities
- Non-profits and community organisations
- Legal and professional service firms
The group does not show any clear geopolitical targeting pattern, though many of its victims are in Europe and North America. UK-based entities using Zimbra have been among the affected, particularly smaller public sector and private organisations with unpatched systems.
5. Notable Campaigns and Victims
MalasLocker does not name its victims directly in most cases, but leaked datasets and online reporting have identified several affected organisations. Known incidents include:
- Multiple school districts in North America with exfiltrated internal emails
- Small municipalities in the EU impacted by partial encryption and email system disruption
- Regional law firms with client communications leaked publicly
- Public sector organisations in the UK and Ireland using legacy Zimbra infrastructure
The group typically publishes a sample of stolen data on its leak site, but the volume and sensitivity vary. In many cases, data is made available in full after a deadline if no donation proof is provided.
6. Technical Indicators
Known indicators of MalasLocker activity include:
- Exploitation of CVEs related to Zimbra Collaboration Suite
- Ransom notes named
readme_for_unlock.txtor similar placed in mail directories - File extensions appended to encrypted mail store files (e.g.,
.malasor.locked) - C2 communication via TOR-based email addresses or messaging portals
- Exfiltration to temporary cloud storage services or FTP endpoints
Detection often relies on monitoring access to email servers, log analysis of administrative activity, and scanning for signs of encryption in user mailboxes.
7. Defensive Measures and Recommendations
To defend against MalasLocker operations:
- Patch Zimbra Collaboration Suite and other public-facing email infrastructure promptly
- Monitor webmail interfaces for suspicious logins and brute-force attempts
- Restrict admin panel access via VPN or internal-only rules
- Implement multi-factor authentication for all email accounts
- Back up mail stores regularly and keep backups isolated from production environments
- Review logs for file encryption behaviour or access to unusual message volumes
Organisations relying on self-hosted or open-source email platforms should be particularly cautious, as these systems are increasingly targeted by opportunistic threat actors.
8. Attribution and Alliances
MalasLocker does not appear to be part of a larger ransomware cartel or nation-state operation. Its tooling and operational methods suggest a small, self-contained group. While the donation-based extortion model implies an ideological or political motive, the group’s true intentions remain unclear.
There is no known affiliation with hacktivist collectives or cybercrime syndicates, and MalasLocker appears to operate independently.
9. Conclusion
MalasLocker is a non-traditional ransomware actor using unconventional extortion methods and focusing on vulnerable email infrastructure. Its blend of encryption, data leaks, and ideological messaging distinguishes it from more established ransomware groups, though its impact on small and medium-sized organisations is significant.
For UK organisations using self-hosted Zimbra or similar services, MalasLocker represents a credible and emerging threat that requires attention to patch management, access control, and email system resilience.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
