Why do extortionists require a donation instead of a classic ransom?

New ransomware operation MalasLocker, active since the end of March this year, hacks, steals and encrypts data on servers Zimbra. However, instead of demanding the usual cash ransom, donations to charitable foundations are enough for hackers to provide the victims with a decryptor and prevent data leakage.

Numerous victims on the Zimbra forums report about suspicious JSP files uploaded to “/opt/zimbra/jetty_base/webapps/zimbra/” or “/opt/zimbra/jetty/webapps/zimbra/public” folders. These files have been seen under various names including info.jsp, noops.jsp and heartbeat.jsp, Startup1_3.jsp.

Security Researcher MalwareHunterTeam reported that the message “This file is encrypted, look for README.txt for decryption instructions” is added to encrypted files.

When you open the above README.txt note, you will find the following text: “Unlike classic ransomware groups, we do not ask you to send us money. We just don’t like corporations and economic inequality. We simply ask that you make a donation to a non-profit organization that we approve of. It’s a win-win, and you’ll likely be able to get a tax deduction and good publicity from your donation,” MalasLocker said in a note.

Although the ransom note does not contain a link to the ransomware gang’s data breach site, the researchers still found website. The homepage of the site contains a lengthy message filled with emojis, revealing the group’s motives and revealing that these cybercriminals are ransomware buddies, targeting primarily small companies with weak defenses.

“We are a new ransomware group that encrypts companies’ computers to ask them to donate money to anyone. We ask them to donate to a non-profit organization of their choice and then save the donation confirmation email received and send it to us so we can verify the signature DKIMto make sure the email is real,” according to data breach site MalasLocker.

This ransom demand is very unusual and, in truth, puts this extortion operation more in the realm of hacktivism. There is still quite a bit of information on the network about this group and their “charity operation”, so it is not clear whether the hackers will keep their word after the money transfer, but their approach is truly interesting. With such altruistic motives, the group will quickly gain popularity and perhaps even popular sympathy.