IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

PYSA ransomware gang attacks educational organizations with ChaChi malware

Golang-based RAT used to steal data before encryption

Security researchers have revealed the PYSA ransomware gang has started using a Golang-based Trojan (RAT) called ChaChi as part of a new campaign against educational organizations.

According to the BlackBerry Threat Research and Intelligence SPEAR Team, The PYSA crime gang developed the ChaChi malware, which is named after two key components of the RAT, Chashell and Chisel.

Researchers estimate the hackers developed ChaChi no earlier than mid-2019, but they believe its development likely occurred near the beginning of 2020.

Hackers used the earliest variant of this malware in attacks on French government authorities’ networks in March of 2020. Since then, researchers have observed it in attacks on health care organizations, private companies, and educational establishments. Recent PYSA ransomware attacks have targeted higher education and K-12 schools across 12 states and in the UK. 

“After initial sightings in attacks during the first quarter of 2020, ChaChi’s code was altered to include obfuscation and persistence in late March or early April. Very soon after that, we started seeing ChaChi variants with the added DNS tunnelling and Port-Forwarding/Proxy functionality. There have been few noteworthy changes after that point,” researchers said.

In addition to installing ChaChi, the latest PYSA campaign uses PowerShell scripts to uninstall/stop/disable antivirus and other essential services.

Researchers said that by using Golang to develop ChaChi, PYSA ransomware operators can frustrate detection and prevention efforts by analysts and tools unfamiliar with the language.

Related Resource

The definitive guide to IT security

Protecting your MSP and your customers

The definitive guide to IT security for MSPs - whitepaper from LiongardDownload now

“The earliest version of ChaChi lacked several features of more mature malware, but its rapid evolution and recent deployment against national governments, healthcare organizations, and educational institutions indicates this malware is being actively developed and improved,” said researchers.

Researchers added that the malware is a “powerful tool” in the hands of malicious actors who are targeting industries notoriously susceptible to cyber attacks.

“It has demonstrated itself as a capable threat, and its use by PYSA ransomware operatives is a cause for concern, especially at a time when ransomware is experiencing alarming success through a string of high-profile attacks including campaigns conducted by REvilAvaddon and DarkSide,” said researchers.

Researchers warned that organizations ignoring this threat do so at their own risk, especially in a year of one-after-another cyber security disasters.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

2022 IBM's Security X-Force cloud threat landscape report
Whitepaper

2022 IBM's Security X-Force cloud threat landscape report

22 Nov 2022
2022 Magic quadrant for Security Information and Event Management (SIEM)
Whitepaper

2022 Magic quadrant for Security Information and Event Management (SIEM)

22 Nov 2022
Seven realities facing SMBs as they enter a future of increased cyber threats
Whitepaper

Seven realities facing SMBs as they enter a future of increased cyber threats

21 Nov 2022
Revealed: The top 200 most common passwords of 2022
cyber security

Revealed: The top 200 most common passwords of 2022

17 Nov 2022

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022