Security News > 2021 > June > PYSA ransomware backdoors education orgs using ChaChi malware
The PYSA ransomware gang has been using a remote access Trojan dubbed ChaChi to backdoor the systems of healthcare and education organizations and steal data that later gets leveraged in double extortion ransom schemes.
ChaChi is a custom Golang-based RAT malware developed in early 2020 deployed by PYSA operators to access and control infected systems.
These attacks culminated with an escalation of PYSA ransomware activity targeting educational institutions from the UK and 12 US states, according to an FBI flash alert issued in March 2021.
"Since March 2020, the FBI has become aware of PYSA ransomware attacks against US and foreign government entities, educational institutions, private companies, and the healthcare sector by unidentified cyber actors," the FBI said.
"FBI reporting has indicated a recent increase in PYSA ransomware targeting education institutions in 12 US states and the United Kingdom. The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries."
PYSA ransomware was first spotted in October 2019 when reports of companies hit by new ransomware started surfacing.