Zimbra Ransomware Targets Zimbra Mail Store

A newly-found ransomware, written in Python, targets Zimbra enterprise collaboration software. The new ransomware targets the Zimbra email message store folder and encrypts all of the files located within it. After that, it creates a ransom note in /root/how.txt demanding 3 bitcoins to release the encrypted data.

Usually, Zimbra ransomware is installed via the developer hacking into the Zimbra server and executing the Python script. Being executed, the script will generate a RSA key and a AES key which is unique to the victim’s PC. After that, the AES key is encrypted with the RSA key and both keys are emailed from support@aliexpress.com to mpritsken@priest.com.

As soon as the keys are generated, the script will create a ransom note called how.txt in the /root/ folder. The ransom note will contain the instructions and the public key which should be sent to the listed email address after the payment has been made to listed bitcoin address.

The ransom note states:

“Hello, If you want to unsafe your files you should send 3 btc to 1H7brbbi8xuUvM6XE6ogXYVCr6ycpX3mf2 and an email to mpritsken@priest.com with: [public_key_here]”

Zimbra ransomware will continue to lock all of the files located in the /opt/zimbra/store folder using AES encryption. The files located in this folder are the Zimbra emails and mailboxes, which won’t be accessible right after they are encrypted.

After a file is encrypted, it will have the .crypto extension appended to it. For instance, 10011-60383.msg would be encrypted as 10011-60383.msg .crypto.

Nevertheless, the main problem about Zimbra is that currently, there is no way to decrypt the files for free.