From heimdalsecurity.com
A new ransomware operation has been observed hacking Zimbra servers to steal emails and encrypt files. Instead of demanding a ransom payment, the threat actors claim to require a donation to charity.
In March 2023, a ransomware operation dubbed MalasLocker began encrypting Zimbra servers, with victims reporting encrypted emails in both BleepingComputer and Zimbra forums. Users claimed finding suspicious JSP files in the /opt/zimbra/jetty_base/webapps/zimbra/ or /opt/zimbra/jetty/webapps/zimbra/public folder.