Security researchers have revealed the PYSA ransomware gang has started using a Golang-based Trojan (RAT) called ChaChi as part of a new campaign against educational organizations.
According to the BlackBerry Threat Research and Intelligence SPEAR Team, The PYSA crime gang developed the ChaChi malware, which is named after two key components of the RAT, Chashell and Chisel.
Researchers estimate the hackers developed ChaChi no earlier than mid-2019, but they believe its development likely occurred near the beginning of 2020.
Hackers used the earliest variant of this malware in attacks on French government authorities’ networks in March of 2020. Since then, researchers have observed it in attacks on health care organizations, private companies, and educational establishments. Recent PYSA ransomware attacks have targeted higher education and K-12 schools across 12 states and in the UK.
“After initial sightings in attacks during the first quarter of 2020, ChaChi’s code was altered to include obfuscation and persistence in late March or early April. Very soon after that, we started seeing ChaChi variants with the added DNS tunnelling and Port-Forwarding/Proxy functionality. There have been few noteworthy changes after that point,” researchers said.
In addition to installing ChaChi, the latest PYSA campaign uses PowerShell scripts to uninstall/stop/disable antivirus and other essential services.
Researchers said that by using Golang to develop ChaChi, PYSA ransomware operators can frustrate detection and prevention efforts by analysts and tools unfamiliar with the language.
RELATED RESOURCE
“The earliest version of ChaChi lacked several features of more mature malware, but its rapid evolution and recent deployment against national governments, healthcare organizations, and educational institutions indicates this malware is being actively developed and improved,” said researchers.
Researchers added that the malware is a “powerful tool” in the hands of malicious actors who are targeting industries notoriously susceptible to cyber attacks.
“It has demonstrated itself as a capable threat, and its use by PYSA ransomware operatives is a cause for concern, especially at a time when ransomware is experiencing alarming success through a string of high-profile attacks including campaigns conducted by REvil, Avaddon and DarkSide,” said researchers.
Researchers warned that organizations ignoring this threat do so at their own risk, especially in a year of one-after-another cyber security disasters.
-
The unseen risk in Microsoft 365: disaster recoveryBusinesses that assume they’re covered for data backup could come unstuck in a time of crisis
-
Anthropic CEO Dario Amodei's prediction about AI in software development is nowhere nearly to becoming a realityNews In March, Anthropic CEO Dario Amodei claimed up to 90% of code would be written by AI within six months – his prediction hasn't quite come to fruition.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
