Zimbra Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 60 % (Medium) |
Infected Computers: | 13 |
First Seen: | June 23, 2016 |
Last Seen: | May 11, 2023 |
OS(es) Affected: | Windows |
The Zimbra Ransomware is an encryption ransomware Trojan that is written in Python. The Zimbra Ransomware targets the Zimbra Mail Store. The Zimbra Ransomware was first detected in June of 2016. The Zimbra Ransomware is written in Python and is designed to target the Zimbra enterprise collaboration software. Essentially, the Zimbra Ransomware targets the Zimbra email message store folder. The Zimbra Ransomware then carries out a typical encryption attack by encrypting all files located in this folder. The Zimbra Ransomware creates a ransom note in /root/how.txt demanding that victims of the attack pay three BitCoin to regain access to their files. Some sources are referring to the Zimbra Ransomware as 'the ZimbraCryptor' so it will not be confused with Zimbra, which is a legitimate software product.
The Zimbra Ransomware is Delivered by a Corrupted Script
The most likely way in which the Zimbra Ransomware is installed on the victims' computers is through hacking. PC security analysts suspect that the Zimbra Ransomware's developers hacked into the Zimbra server and executed the Python script that delivers the Zimbra Ransomware attack. This corrupted script generates an RSA key and an AES key unique to the affected computer. The AES key is encrypted with the RSA key and both keys are emailed to 'mpritsken@priest.com' from 'support@aliexpress.com.' This is a typical approach that we have observed in most ransomware Trojans to ensure that the victim does not have access to the key needed to decrypt the files encrypted by the encryption ransomware threat.
After generating the encryption keys, the Zimbra Ransomware will create a ransom note named 'how.txt' located in the root folder. This ransom note contains instructions on how to pay and contact the people responsible for this attack. The ransom note also contains the public key, which should be sent to the included email address as part of the payment procedure. The following are the contents of the ransom note associated with the Zimbra Ransomware attack:
'Hello, If you want to unsafe your files you should send 3 btc to 1H7brbbi8xuUvM6XE6ogXYVCr6ycpX3mf2 and an email to mpritsken@priest.com with: [public_key_here]'
The Zimbra Ransomware encrypts all files located in the 'path/opt/the Zimbra/store' using AES encryption. This folder contains the Zimbra emails and mailboxes. Once they have been encrypted, they become inaccessible. After the Zimbra Ransomware encrypts a file, its extension will be changed to '.CRYPTO.' Unfortunately, it may not be possible to decrypt the files encrypted by the Zimbra Ransomware without access to the decryption key.
Protecting Your Computer From the Zimbra Ransomware Attacks
When dealing with encryption ransomware like the Zimbra Ransomware, the best protection is to take preventive measures. The following are some examples of steps you can take to ensure that your computer is protected from the Zimbra Ransomware and similar threats:
- Keep a backup of all of your files, or at least of those files that are essential to you. This backup should be kept on an external memory device or the cloud and not connected to your computer (so, for example, a drive that is connected to your computer would be vulnerable to these attacks). Having an off-site backup of your files will make you totally invulnerable to the Zimbra Ransomware and similar attacks. In fact, once backups become standard, these attacks will no longer be profitable and will likely disappear.
- Use a reliable, fully updated anti-malware program to protect your computer. A fully updated anti-malware program will intercept the Zimbra Ransomware or similar threats when they attempt to enter your computer.
- Threats like the Zimbra Ransomware may be distributed using email spam. It is important to have a good anti-spam filter to prevent harmful email messages from landing in your email inbox. It is also indispensable to avoid opening unsolicited email attachments or embedded links.