Zimbra, written in Python, specifically targets Synacor’s Zimbra email collaboration platform. It is thought to be distributed by the attacker executing a Python script directly on the Zimbra server. Once launched, the Zimbra variant proceeds to generate an AES key, encrypt that with an RSA key, and then send the key back to the attacker via email. It then drops a ransom note labeled how.txt in the root folder and encrypts all of the emails and mailboxes located within the opt/zimbra/store folder. Files encrypted by Zimbra are appended with the extension .crypto. Zimbra demands a ransom payment of 3 Bitcoin.
- Bleeping Computer has more information about Zimbra here.
- The NJCCIC is not aware of any decryption tools available for Zimbra.