PYSA ransomware gang attacks educational organizations with ChaChi malware
Golang-based RAT used to steal data before encryption


Security researchers have revealed the PYSA ransomware gang has started using a Golang-based Trojan (RAT) called ChaChi as part of a new campaign against educational organizations.
According to the BlackBerry Threat Research and Intelligence SPEAR Team, The PYSA crime gang developed the ChaChi malware, which is named after two key components of the RAT, Chashell and Chisel.
Researchers estimate the hackers developed ChaChi no earlier than mid-2019, but they believe its development likely occurred near the beginning of 2020.
Hackers used the earliest variant of this malware in attacks on French government authorities’ networks in March of 2020. Since then, researchers have observed it in attacks on health care organizations, private companies, and educational establishments. Recent PYSA ransomware attacks have targeted higher education and K-12 schools across 12 states and in the UK.
“After initial sightings in attacks during the first quarter of 2020, ChaChi’s code was altered to include obfuscation and persistence in late March or early April. Very soon after that, we started seeing ChaChi variants with the added DNS tunnelling and Port-Forwarding/Proxy functionality. There have been few noteworthy changes after that point,” researchers said.
In addition to installing ChaChi, the latest PYSA campaign uses PowerShell scripts to uninstall/stop/disable antivirus and other essential services.
Researchers said that by using Golang to develop ChaChi, PYSA ransomware operators can frustrate detection and prevention efforts by analysts and tools unfamiliar with the language.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
RELATED RESOURCE
“The earliest version of ChaChi lacked several features of more mature malware, but its rapid evolution and recent deployment against national governments, healthcare organizations, and educational institutions indicates this malware is being actively developed and improved,” said researchers.
Researchers added that the malware is a “powerful tool” in the hands of malicious actors who are targeting industries notoriously susceptible to cyber attacks.
“It has demonstrated itself as a capable threat, and its use by PYSA ransomware operatives is a cause for concern, especially at a time when ransomware is experiencing alarming success through a string of high-profile attacks including campaigns conducted by REvil, Avaddon and DarkSide,” said researchers.
Researchers warned that organizations ignoring this threat do so at their own risk, especially in a year of one-after-another cyber security disasters.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
Are chief AI officers here to stay?
In-depth Mainstay of the boardroom or short-term project leader, CAIOs are the subject of intense consideration
-
US companies dominate the European cloud market – regional players are left fighting for scraps
News Synergy data shows EU providers hold just 15% of the market despite rise in AI and drive for cloud sovereignty
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs