Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

PYSA Ransomware Backdoors Education Orgs Using ChaChi Malware

PYSA Ransomware Backdoors Education Orgs Using ChaChi Malware

The PYSA ransomware gang has been using a remote access Trojan (RAT) dubbed ChaChi to backdoor the systems of healthcare and education organizations and steal data that later gets leveraged in double extortion ransom schemes.

ChaChi is a custom Golang-based RAT malware developed in early 2020 deployed by PYSA operators to access and control infected systems.

The RAT was first observed in the wild as a tool lacking obfuscation, port-forwarding, and DNS tunneling capabilities. However, its creators upgraded it to include all these features as observed when analyzing samples detected in subsequent attacks.

“After initial sightings in attacks during the first quarter of 2020, ChaChi’s code was altered to include obfuscation and persistence in late March or early April,” the BlackBerry Threat Research and Intelligence Team says in a report shared in advance with BleepingComputer.

“Very soon after that, we started seeing ChaChi variants with the added DNS tunnelling and Port-Forwarding/Proxy functionality.”

One of the earliest ChaChi samples was deployed on the networks of French local government authorities in March 2020. The ransomware gang later used an upgraded version to target various industry verticals from healthcare to private companies.

Also Read: The 5 Phases of Penetration Testing You Should Know

ChaChi timeline
ChaChi evolution (BlackBerry)

Upgraded ChaChi RAT used to escalate attacks on education orgs

These attacks culminated with an escalation of PYSA ransomware activity targeting educational institutions from the UK and 12 US states, according to an FBI flash alert issued in March 2021.

“Since March 2020, the FBI has become aware of PYSA ransomware attacks against US and foreign government entities, educational institutions, private companies, and the healthcare sector by unidentified cyber actors,” the FBI said.

“FBI reporting has indicated a recent increase in PYSA ransomware targeting education institutions in 12 US states and the United Kingdom. The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries.”

The fact that healthcare and education orgs are regularly working with vast amounts of sensitive personal and health information makes them the perfect victims for ransomware gangs like PYSA, who also steal data before encrypting victims’ networks.

Hospitals and schools with no data backups that also use legacy and seldomly patched systems are an even easier target for ransomware attackers as they can be more easily persuaded to pay ransoms to restore systems and get their stolen data back.

PYSA ransomware was first spotted in October 2019 when reports of companies hit by new ransomware started surfacing.

Also Read: Got Hacked? Here Are 5 Ways to Handle Data Breaches

This ransomware gang is known for exfiltrating a wide range of sensitive data from their victims’ servers, including personally identifiable information (PII), payroll tax information, and other data types.

Technical information on the ChaChi RAT, as well as indicators of compromise and YARA rules, can be found in BlackBerry threat researchers’ report.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us