FBI and the BlackBerry threat team warn of the PYSA ransomware gang that has been using the ChaChi remote access Trojan to infiltrate the systems of healthcare organizations and education institutions and later performing double extortion ransom schemes.
ChaCha is a Golang-based RAT that was developed in 2020 by operators of the PYSA group to access and control infected systems. The RAT was first spotted in the wild as a rather crude utility that lacked key features like obfuscation, port-forwarding, and DNS tunneling. However, later, its creators upgraded it to include these more sophisticated capabilities, according to a report by the BlackBerry threat team.
“After initial sightings in attacks during the first quarter of 2020, ChaChi’s code was altered to include obfuscation and persistence in late March or early April,” the BlackBerry Threat Research and Intelligence Team says in the report.
“Very soon after that, we started seeing ChaChi variants with the added DNS tunnelling and Port-Forwarding/Proxy functionality.”
The first ChaChi samples were deployed in March 2020 against French local government authorities. They were then used to target various industries such as healthcare and education in the UK.
The FBI has been investigating the rise of PYSA ransomware attacks since March 2020. The FBI’s March 2021 flash alert warned about an escalation of the PYSA ransomware campaign, which targeted educational institutions in 12 US states.
The FBI has detected an increase in the number of schools and universities targeted by the ransomware. The fact that many healthcare and education organizations regularly working with sensitive data makes them the ideal targets for ransomware groups like PYSA. Schools and hospitals with no data backup are more likely to be attacked by ransomware attackers as they can easily be persuaded to pay the ransom.
This ransomware gang is known for stealing sensitive data from victims’ servers, such as personally identifiable information (PII), payroll tax information, and other data types.
The details about the ChaChi RAT, YARA rules, and its indicators of compromise can be found in the report from BlackBerry researchers who analyzed it.