A different kind of ransomware demand: Donate to charity to get your data back

The group has claims nearly 180 targets despite being relatively new and casts its attacks as a form of activism.
Getty Images

A new and increasingly active ransomware group that’s attacked nearly 200 organizations in less than two months has a different spin on its extortion efforts: Don’t pay us, pay a charity.

So far, this unnamed group that is at least publicly claiming to be driven by anti-capitalist sentiment and its own brand of cyber benevolence is largely targeting users of Zimbra, an online workplace collaboration tool.

“Unlike traditional ransomware groups, we’re not asking you to send us money,” read the text of one ransom note posted April 2 on an online forum for Zimbra users. “We just dislike corporations and economic inequality. We simply ask that you make a donation to a non-profit that we approve of. It’s a win-win, you can probably get a tax deduction and good PR from your donation if you want.”

The group is using ransomware dubbed MalasLocker by Bleeping Computer, the tech news site that also hosts forums where users began reporting in April that Zimbra had suffered a series of compromises. Separately, users of a dedicated Zimbra forum began complaining about ransomware issues beginning in late March, Bleeping Computer reported.


The ransomware outfit’s dark web website lists three companies as victims, alongside a list of 170 other entities listed as “Defaulters.” The group’s tactics came to light Wednesday after Distributed Denial of Secrets, a transparency advocacy and journalism website that hosts hacked data, wrote about the group’s hack of the Harita Group, an Indonesian mining and natural resource extraction conglomerate.

A representative for Synacor, the company that owns Zimbra, could not be reached for comment. Emails for the group posted by forum users were nonfunctional Thursday.

The ransomware group wrote that it won’t target companies based in Africa, Latin America “and other colonized countries, with the exception of a few big ones of foreign investors or shitty industries.” The group will target small companies in the U.S., Russia and Europe “excluding Ukraine as they’re dealing with enough shit at the moment.”

“We don’t think they are all bad, just that their relative prosperity is built on theft and we will steal back what we can,” the group wrote. “Anyways we don’t care, we have as much sympathy for them as they have for us. They can pay and get their files decrypted, or not and get them leaked. “

Entities targeted by the group can either provide proof they donated to a charity or give the money to the group, who will then donate it to charity, the group said.


“Ransomware is an excellent tool for hacktivists for the same reasons it’s an excellent tool for for-profit extortionists: entry barriers are low and it has the potential to cause massive disruption,” Brett Callow, a threat analyst with cybersecurity firm Emsisoft, told CyberScoop in an online message Thursday.

The group has a long, emoji-filled message on the front page of its website under the heading “Somos malas… podemos ser peores” (We are bad … we can be worse), a message used as part of feminist protests in various places around the world. The message on the group’s site references rich-on-poor class warfare and describes hacking as a means of fighting back.

“They break and rewrite the law as they please. Laws that only serve to legitimize and perpetuate a system of death. Literally – mass extinctions in exchange for short-term profits for a few. In their senseless quest for money and power, they concede nothing – except when we have the power to force them to. That’s the power of a riot, the power of a union, the power of general strikes, of collective action, of sabotage, of fire, and of hacks.”

The message includes a series of questions the group poses to itself and answers, including whether their efforts are effective, whether they’re going to give money to charity and why they’re going through all the effort of messaging in this way when ransomware victims routinely pay profit-motivated ransomware groups.

“It will make some companies unwilling to pay us, but we aren’t writing it for them,” the group wrote. “We are writing it for other kids in Africa, Latin America, Palestine, and the world over: ransomware should not be the business of a few russian (sic) groups as now, it is a tool for all of us, to uplift our communities through robbing the countries that have pillaged ours.”


The group’s hack of the Harita Group, for instance, which DDoSecrets reported as totaling 510 gigabytes, included a message saying the Harita Group will do anything “that’ll make them a profit through destroying their countries’ environment,” and references its connections to Swiss based conglomerate Glencore, which has been tied to widespread bribery and corruption in Africa, according to the U.K.’s Serious Fraud Office, and fuel price manipulation in the U.S, according to the Department of Justice.

While the group appears to be focusing on smaller organizations now, it clearly has bigger targets in mind.

“We’re just getting started and unfortunately the companies easily vulnerable to public exploits tend to be smaller companies and not the major multinationals,” the group wrote on its website. “We’re learning and developing our abilities as fast as we can to be able to go after more deserving targets.”

Latest Podcasts