Linux Platform Under Attack from Pysa Ransomware
- By Dawna M. Roberts
- Published: Oct 04, 2021
- Last Updated: Mar 18, 2022
Rarely do we hear about hacker gangs targeting the Linux platform. However, the scary part is that the majority of the world’s websites run on Linux, and most everyone could be at risk.
What is Happening?
Cloud security firm Lacework reported this week that the Pysa ransomware gang has modified its malware to include Linux using the ChaChi backdoor allowing them access to millions of websites hosted on the platform.
Data Breach Today commented that “What is believed to be the first Linux version of ChaChi, a Golang-based DNS tunneling backdoor, was spotted on VirusTotal, Lacework reports, and it is configured to use domains associated with ransomware actors known as Pysa, aka Mespinoza Ransomware Gang.”
In August, Lacework Labs found the Linux variant that uses DNS tunneling for command-and-control communications. The report noted that “PYSA’s ChaChi infrastructure appears to have been largely dormant for the past several weeks, mostly parked and apparently no longer operational. We assess with moderate confidence this sample represents the PYSA actor expanding into targeting Linux hosts with ChaChi backdoor.”
“Many actors target multiple architectures to increase their footprint, so this may be the motive here and could represent an evolution in PYSA operations. It is currently unclear if the Linux variant was used in operations. However, it was observed prior to the associated infrastructure going offline. The observed debug output, however, may indicate the specimen is still in the testing phase.”
Who is Pysa?
Pysa appeared on the scene around October 2019 and has been very active in the U.S. and overseas. The group was responsible for a ransomware attack on the Hackney Council, a local UK government body, in January 2021, after infiltrating the organization in October 2020 and crippling it. The group also appeared on France’s Computer Emergency Response Team radar in March 2020 for targeting various government agencies within the country.
The FBI warned the public back in March about the Pysa gang. The group is known for targeting educational institutions in the U.S. and UK, demanding as much as $1.6 million in ransom.
In the FBI public notice, the agency said,
“The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries.” They also added, “The attackers using PYSA tend to follow the pattern of entering a network, removing data, encrypting the system, and then threatening to make the stolen data public if the ransom is not paid.”
How it Works
Although modified for the Linux platform, this variant shares characteristics with the Windows version of the same malware, including “its core functionality, the large file size (8 M.B. +) and the use of Golang obfuscator Gobfuscate.”
Lacework Labs adds, “A distinguishing characteristic of the Linux version was the presence of debug output containing date-time data. ChaChi also leverages custom nameservers that double as C2s to support the DNS tunneling protocol.”
Threat assessors note that the ChaChi infrastructure has been offline since around June. According to Data Breach Today, the only exceptions to this are “ns1.ccenter.tech and ns2.spm.best. The two domains from the Linux variant identified as sbvjhs.xyz and sbvjhs.club resolved to Amazon I.P. address 99.83.154.118, which is an AWS Global accelerator host and has several A.V. Detections on VirusTotal.”
How Can Website Owners Stay Safe?
The number one way website owners can stay safe is to be diligent about security. Some other tips to stay safe include:
- Keep your website platforms and hosting up to date with the latest security patches.
- Keep a close eye on access logs and scan for unusual changes to files.
- Use very strong passwords on hosting logins and website backends.
- Install a firewall on your website and set it to maximum security.
