Threat Database Ransomware Zimbra Ransomware

Zimbra Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 60 % (Medium)
Infected Computers: 13
First Seen: June 23, 2016
Last Seen: May 11, 2023
OS(es) Affected: Windows

The Zimbra Ransomware is an encryption ransomware Trojan that is written in Python. The Zimbra Ransomware targets the Zimbra Mail Store. The Zimbra Ransomware was first detected in June of 2016. The Zimbra Ransomware is written in Python and is designed to target the Zimbra enterprise collaboration software. Essentially, the Zimbra Ransomware targets the Zimbra email message store folder. The Zimbra Ransomware then carries out a typical encryption attack by encrypting all files located in this folder. The Zimbra Ransomware creates a ransom note in /root/how.txt demanding that victims of the attack pay three BitCoin to regain access to their files. Some sources are referring to the Zimbra Ransomware as 'the ZimbraCryptor' so it will not be confused with Zimbra, which is a legitimate software product.

The Zimbra Ransomware is Delivered by a Corrupted Script

The most likely way in which the Zimbra Ransomware is installed on the victims' computers is through hacking. PC security analysts suspect that the Zimbra Ransomware's developers hacked into the Zimbra server and executed the Python script that delivers the Zimbra Ransomware attack. This corrupted script generates an RSA key and an AES key unique to the affected computer. The AES key is encrypted with the RSA key and both keys are emailed to '' from '' This is a typical approach that we have observed in most ransomware Trojans to ensure that the victim does not have access to the key needed to decrypt the files encrypted by the encryption ransomware threat.

After generating the encryption keys, the Zimbra Ransomware will create a ransom note named 'how.txt' located in the root folder. This ransom note contains instructions on how to pay and contact the people responsible for this attack. The ransom note also contains the public key, which should be sent to the included email address as part of the payment procedure. The following are the contents of the ransom note associated with the Zimbra Ransomware attack:

'Hello, If you want to unsafe your files you should send 3 btc to 1H7brbbi8xuUvM6XE6ogXYVCr6ycpX3mf2 and an email to with: [public_key_here]'

The Zimbra Ransomware encrypts all files located in the 'path/opt/the Zimbra/store' using AES encryption. This folder contains the Zimbra emails and mailboxes. Once they have been encrypted, they become inaccessible. After the Zimbra Ransomware encrypts a file, its extension will be changed to '.CRYPTO.' Unfortunately, it may not be possible to decrypt the files encrypted by the Zimbra Ransomware without access to the decryption key.

Protecting Your Computer From the Zimbra Ransomware Attacks

When dealing with encryption ransomware like the Zimbra Ransomware, the best protection is to take preventive measures. The following are some examples of steps you can take to ensure that your computer is protected from the Zimbra Ransomware and similar threats:

  • Keep a backup of all of your files, or at least of those files that are essential to you. This backup should be kept on an external memory device or the cloud and not connected to your computer (so, for example, a drive that is connected to your computer would be vulnerable to these attacks). Having an off-site backup of your files will make you totally invulnerable to the Zimbra Ransomware and similar attacks. In fact, once backups become standard, these attacks will no longer be profitable and will likely disappear.
  • Use a reliable, fully updated anti-malware program to protect your computer. A fully updated anti-malware program will intercept the Zimbra Ransomware or similar threats when they attempt to enter your computer.
  • Threats like the Zimbra Ransomware may be distributed using email spam. It is important to have a good anti-spam filter to prevent harmful email messages from landing in your email inbox. It is also indispensable to avoid opening unsolicited email attachments or embedded links.


Most Viewed