Behavioural Analysis

Donation-Based Ransomware Groups

In the constantly evolving world of ransomware, a new and unusual variation has emerged. Rather than demanding cryptocurrency payments, certain threat actors are now instructing victims to make donations to charity in exchange for decryption keys or promises not to publish stolen data. These so-called donation-model ransomware groups present themselves as ideologically driven, often citing anti-corporate motives or positioning their activity as a form of digital protest.

This article explores the rise of donation-themed ransomware, with a particular focus on MalasLocker, and compares it with other groups adopting similar messaging. We assess whether these actors represent a genuine ideological shift or simply a new tactic to manipulate victims and public perception.

What Is Donation-Model Ransomware?

Donation-model ransomware refers to extortion operations in which the attacker, after encrypting files or stealing data, requests that the victim donate a specified amount to a registered charity. The victim is then asked to submit proof of donation—such as a receipt or transaction confirmation—in lieu of a traditional ransom payment.

The apparent goals of these campaigns vary. Some actors cite political or ideological motives, others claim to be exposing corporate neglect, while a few remain ambiguous, possibly to mask a more opportunistic approach.

Despite the unconventional demands, the impact of these campaigns can be as disruptive as any standard ransomware operation.

MalasLocker: The Most Notable Example

MalasLocker, active since 2023, is the clearest example of a donation-themed ransomware actor. The group primarily targets Zimbra email servers, exploiting known vulnerabilities to gain access and exfiltrate data.

Key characteristics of MalasLocker include:

  • Selective encryption of user data, primarily email stores
  • Ransom notes asking for donations to charities of the victim’s choice
  • Instructions to provide proof of donation (e.g. screenshots or receipts)
  • No cryptocurrency payment addresses or wallets
  • Occasional public leaks of stolen data when victims do not comply

The group’s messages are often written in a casual tone and include references to moral judgement and “doing the right thing.” However, their public-facing leak site and data exposure practices remain consistent with traditional extortion tactics.

Other Threat Actors with Similar Motifs

Although MalasLocker is the most visible, other actors have experimented with similar messaging:

GoodWill Ransomware

An Indian ransomware variant identified in 2022, GoodWill encrypts data and demands that the victim perform acts of kindness, such as donating clothes or feeding the poor. Victims are asked to record videos of their charitable deeds as proof.

While arguably theatrical, GoodWill still causes system disruption and data loss, and no evidence exists that these attacks have genuinely improved social conditions.

Militant-themed Leak Channels

Some Telegram-based groups involved in data leaks (but not necessarily encryption) have encouraged donations to political causes. These are typically used to signal ideological alignment rather than enforce compliance through extortion.

Are These Truly Ethical Hackers?

Donation-model ransomware groups often position themselves as morally superior to financially motivated attackers. However, this framing is misleading. Regardless of the stated cause, victims still suffer data loss, operational downtime, reputational harm, and legal exposure.

Key concerns include:

  • Data protection violations: Even if payment is avoided, stolen data may contain personal or sensitive information, triggering GDPR or compliance obligations.
  • Lack of accountability: Threat actors remain anonymous and untraceable. There is no guarantee that data will be deleted after a donation is made.
  • Coercion is still coercion: Demanding payment—charitable or otherwise—under threat of data exposure remains extortion by definition.
  • Potential legal risk: In some jurisdictions, making a payment under duress to satisfy a criminal demand, even for charity, may carry regulatory implications.

Defensive Recommendations

Organisations can protect themselves from these and similar groups by applying the same principles used against other forms of ransomware and data theft:

  • Patch vulnerable services such as Zimbra, particularly public-facing portals
  • Limit admin access to known IP ranges and enforce strong authentication
  • Monitor for signs of slow data exfiltration, archive creation, and outbound cloud connections
  • Educate staff on credential security and safe administration practices
  • Establish incident response playbooks that include non-traditional extortion scenarios

Maintaining backups and securing identity infrastructure are still essential safeguards, even when the attack doesn’t involve encryption.

Conclusion

Donation-based ransomware may present itself as ethically motivated, but the underlying tactics remain coercive and harmful. Groups like MalasLocker exploit vulnerabilities, extract sensitive data, and apply pressure to their victims under the guise of charity.

While these attacks may seem novel, they are part of a broader trend in which threat actors adapt their messaging to appeal to public sentiment or reduce scrutiny. Organisations must continue to treat such incidents as serious threats and respond accordingly.

  • 32 Views

you may also like

Kettering Health crippled by ransomware: 14 hospitals on emergency reroute

On May 20, 2025, Kettering Health’s network was hit by a ransomware attack, forcing 14 hospitals to switch to emergency reroutes and manual operations. The attack spread rapidly across critical systems due to undetected lateral movement, highlighting gaps in early threat detection. Patients reported suspicious calls, indicating potential data misuse. This incident underscores the urgent need for healthcare organizations to strengthen identity security, implement layered defenses, and prepare robust response plans.

Pro-Russian Cyber Activity: Hybrid Threats and the UK Response

An insights article assessing pro-Russian cyber activity with a situational briefing on hybrid threats to UK-aligned institutions. Includes a side-by-side comparison of key threat groups including KillNet, NoName057(16), and XakNet.

Western Alliance Data Breach Tied to Cleo Software Flaw

Western Alliance Bank confirmed a data breach in April 2025 linked to a vulnerability in Cleo Integration Cloud. The breach, attributed to the Cl0p ransomware group, underscores the growing risks from third-party software vulnerabilities. Learn how the bank is responding and the increasing role of SOC in protecting financial institutions.

DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers

An insights article examining the 2025 DBS data breach, focusing on how a ransomware attack on vendor Toppan Next Tech exposed thousands of customer records, and what it reveals about the growing threat of third-party supply chain vulnerabilities in the financial sector.

Emerging Ransomware Threats and Securing Open-Source Email Infrastructure

An insights article highlighting the rise of unconventional ransomware groups targeting open-source email platforms like Zimbra, including a technical bulletin with actionable guidance for UK organisations.

The Quiet Breach: Understanding and Responding to Low-Volume Data Leak Actors

An insights article exploring the rise of low-volume data leak actors and offering a practical detection and response guide for non-encryption-based extortion threats targeting UK organisations.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence