Educational institutions have been slammed by ransomware and other attacks for many years, but the criminal group behind PYSA has upped their game with a new remote access Trojan known as “ChaChi.”
A remote access Trojan (RAT) allows hackers to access and control infected systems. Remote access software has been around since the 1980s, but it wasn’t used as malware until Trojan capabilities were added in the late 1990s. The Trojan capabilities allow the remote access software to disguise itself so that it can get past your network or endpoint defenses without your intervention. Once it has established itself inside your network, it relies on stealth and obfuscation to hide from your defenses. The IBM Security Cost of a Data Breach Report 2020 determined that the average time to identify a breach caused by a malicious attack was 230 days.
PYSA is a type of ransomware being used in the new “big game” attacks, where the threat actors choose targets based on the perceived ability to pay. PYSA stands for “Protect Your System Amigo,” which is part of the ransom message left for the victim.
How “ChaChi” makes PYSA attacks more dangerous
PYSA ransomware threat actors are now using a RAT known as “ChaChi” to target educational institutions in a double extortion scheme. While it’s not uncommon for ransomware attacks to use RATs, the combination of PYSA and ChaChi is cause for concern.
When PYSA gains access to victim networks, it begins reconnaissance using tools like Advanced Port Scanner and Advanced IP Scanner. It then installs several other tools like Koadic, WinSCP, and Mimikatz. The attackers use these tools to move laterally through the system, escalate privileges, and exfiltrate sensitive data before encrypting all Windows and Linux devices. PYSA is offered as Ransomware-as-a-Service and has been tied to several confirmed attacks. Its known infection vectors are brute-force attacks, phishing emails, and unauthorized remote desktop protocol (RDP) connections to domain controllers.
The ChaChi RAT was developed in 2019 and has been refined to include port-forwarding, DNS tunneling, and obfuscation capabilities. ChaChi provides the command-and-control (C2) capabilities for the PYSA threat actors using DNS and HTTP protocols. ChaChi is one of an increasing number of malware strains written in Go (aka ‘Golang'), which gives it an edge in efficacy. Go-based malware has three advantages for attackers:
- Support for cross-platform compilation, which means that one codebase can support binaries for multiple operating systems.
- The difficulty of reverse-engineering Go-based binaries makes this malware less likely to be detected.
- Go was designed with a robust networking stack and all of the tools necessary to manipulate network packets and requests.
The FBI issued a Flash Alert in March warning of the attacks on higher education, K-12 schools, and seminaries. Several schools in the United States and the United Kingdom have been hit with PYSA and ChaChi since then. The Blackberry research team has a detailed analysis of this attack.
Phishing is a favorite attack for many threat actors. Barracuda provides AI-based anti-phishing protection that detects and blocks threats that email gateways cannot. Protect your network against all 13 email threat types with Barracuda’s Total Email Protection.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology and project management credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.