A new active ransomware group has been spotted that victimized nearly 200 organizations having a different spin on its extortion efforts: Don’t pay us, pay a charity
This unnamed group that is at least publicly claimed to be driven by anti-capitalist sentiment largely targets users Zimbra. The ransomware used by the group dubbed as MalasLocker by BleepingComputer
“Unlike traditional ransomware groups, we’re not asking you to send us money,” read the text of one ransom note posted April 2 on an online forum for Zimbra users. “We just dislike corporations and economic inequality. We simply ask that you make a donation to a non-profit that we approve of. It’s a win-win, you can probably get a tax deduction and good PR from your donation if you want.”
The ransomware leak website lists three companies as victims, alongside a list of 170 other entities listed as Defaulters. The group uses DDoS as attack tactics
The ransomware group wrote that it won’t target companies based in Africa, Latin America “and other colonized countries, with the exception of a few big ones of foreign investors or shitty industries.” The group will target small companies in the U.S., Russia and Europe “excluding Ukraine as they’re dealing with enough shit at the moment.”
Entities targeted by the group can either provide proof they donated to a charity or give the money to the group, who will then donate it to charity, the group said.
The message includes a series of questions the group poses to itself and answers, including whether their efforts are effective, whether they’re going to give money to charity and why they’re going through all the effort of messaging in this way when ransomware victims routinely pay profit-motivated ransomware groups.
“It will make some companies unwilling to pay us, but we aren’t writing it for them,” the group wrote. “We are writing it for other kids in Africa, Latin America, Palestine, and the world over: ransomware should not be the business of a few russian (sic) groups as now, it is a tool for all of us, to uplift our communities through robbing the countries that have pillaged ours.”
The group’s hack of the Harita Group, which DDoSecrets reported as totaling 510 gigabytes, included a message saying the Harita Group will do anything “that’ll make them a profit through destroying their countries’ environment,” and references its connections to Swiss based conglomerate Glencore, which has been tied to widespread bribery and corruption in Africa, and fuel price manipulation
While the group appears to be focusing on smaller organizations now, it clearly has bigger targets in mind.