Zimbra Ransomware
Posted: June 23, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 6/10 |
|---|---|
| Infected PCs: | 30 |
| First Seen: | June 23, 2016 |
|---|---|
| Last Seen: | May 11, 2023 |
| OS(es) Affected: | Windows |
The Zimbra Ransomware or the ZimbraCryptor is a Trojan that encrypts content specific to clients of the Zimbra e-mail service. While the Zimbra Ransomware's instructions ask for a cash ransom before its authors reverse the effects, malware experts still recommend using thorough Web security and data protection strategies to make any need for decryption irrelevant. Deleting the Zimbra Ransomware with anti-malware tools also should coincide with correcting all other safety issues that led to its perpetrators installing the Zimbra Ransomware originally.
The Reason and Rhyme Behind Your Unreadable E-mail
It's a common observance that ransomware-based Trojans, and particularly data encryptors, are in a state of unpredictable hyper-evolution. One way researchers glean details of a threat campaign is by looking at which types of data are under attack. Although formats associated with common business file types, such as anything derived from the Microsoft Office applications are especial favorites, the Zimbra Ransomware eschews these targets. The Zimbra Ransomware's campaign targets clients of the Zimbra, an open-source e-mail service exclusively.
Due to lack of evidence for other distribution methods, the Zimbra Ransomware may be distributing itself with manual, targeted attacks that compromise specific client servers and then execute this threat manually. The Zimbra Ransomware is written in Python, and is a relatively straightforward script that uses the AES encryption targeting all files residing in, and only in, the /opt/the Zimbra/store directory. Malware experts also saw the Trojan e-mailing the relevant RSA and AES keys associated with the enciphering functions to an external address presumably controlled by the Zimbra Ransomware's admin.
In addition to being unable to access the Zimbra e-mail messages or accounts, victims of the Zimbra Ransomware attacks also may identify files bearing this threat's extension ('.crypto') and a Notepad file including the ransom instructions. Since the Zimbra Ransomware's encryption is executed last in the payload order, identifying the first symptoms may provide a window of opportunity for terminating the Zimbra Ransomware before its data-encoding attack finishes.
Keeping Your Professional Communications out of the Hands of Thieves
The clients of the Zimbra Inc.'s e-mail services range from institutions of higher learning to branches of various government and for-profit enterprises. Network administrators for such organizations always should stay alert to potential security weaknesses that could allow for a Trojan insertion, such as weak passwords or PC operators who open e-mail attachments carelessly. Due to its extremely targeted payload, the Zimbra Ransomware is unlikely to be in deliberate distribution against casual PC users or non-clients of the Zimbra. As noted before, malware experts saw no attempts by the Zimbra Ransomware to encipher any content outside of Zimbra-specific folders.
At this article's authorship date, no free data decryption solutions are available for the Zimbra Ransomware's campaign. However, paying the three Bitcoin (approximately one thousand seven hundred USD) ransom also provides no clear certainty of achieving data recovery. Besides the ever-present necessity of removing the Zimbra Ransomware and other threats through the usual anti-malware tools, malware experts always put emphasis on the protection afforded by routine backups against hostile data encryption.
The Zimbra Inc. claims to owe their name to a combination of perusing musical album titles and happening across obscure Dadaist poetry, but social engineering-heavy threats like the Zimbra Ransomware are always most interested in making you dance to their tune. The proper security steps beforehand can stop you from being in a position where your company's livelihood depends on giving con artists a portion of your profit margin.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.