The ‘ChaChi’ trojan is helping a ransomware gang target schools

Research from BlackBerry aims to help K-12 schools and universities identify a trojan horse virus that's being used by operators of the PYSA ransomware.
Trojan horse illustration
(Getty Images)

Research published Wednesday by BlackBerry details a recently identified trojan being used by a ransomware gang that’s increasingly turned its sights on K-12 school districts and higher education institutions in the United States.

The remote access trojan, or RAT, which BlackBerry researchers dubbed “ChaChi,” a portmanteau of two hacking tools it uses, has been used as a backdoor to networks targeted by a ransomware called PYSA, which the FBI warned in March is behind a rising wave of attacks on education, health and corporate networks.

According to BlackBerry, an early form of ChaChi was first spotted in March 2020, infiltrating local governments in France. But it was later upgraded with new capabilities, including code obfuscation and DNS tunneling, an exploit that allows an attacker to bypass a victim network’s firewalls and other detection methods. The trojan is written in Golang, a relatively new programming language that fewer technologists are familiar with, making it more difficult to analyze.

“Detection is still quite difficult, there’s a lot of work that needs to be done on it,” said Jim Simpson, a threat research principal at BlackBerry.


PYSA, meanwhile, is one of several ransomware variants that engages in what the cybersecurity industry terms “big-game hunting” — chasing bounties from large and potentially deep-pocketed organizations in hopes of a large payday.

In its March alert, the FBI reported that PYSA — which stands for “protect your system, amigo,” a ransom note it leaves behind for victims — had “specifically targeted higher education, K-12 schools and seminaries” in 12 states and the United Kingdom. Like other ransomware groups, PYSA actors also exfiltrate information from targeted networks and threatens to publish it if a ransom is not paid.

Educational institutions have made particularly tempting targets during the COVID-19 pandemic because of their large populations and proliferation of remote users, said Eric Milam, BlackBerry’s vice president of research and intelligence.

“You think about who’s going to be on those networks. It’s a massive range of people,” he said. “A lot more difficult to pick up from a network level.”

The BlackBerry report notes that educational institutions often fail to train their staff in adequate cyber hygiene skills, despite the large amounts of sensitive data they hold.


“Higher education environments tend to function like miniature cities, with a heavy cultural emphasis on information-sharing. Not only do they host significant quantities of business data; schools also host traffic from students living on campus,” the report reads. “These students often have little security awareness training, and they might fall victim to suspicious emails, fail to recognize questionable websites, or download malicious programs onto their personal devices while connected. These factors contribute to these industries being easy but valuable targets to threat actors and may explain the sudden increase in PYSA actors attacking educational institutions.”

Simpson and Milam said BlackBerry’s researchers developed a new tool to help organizations’ cybersecurity teams de-obfuscate the ChaChi trojan’s intentionally garbled code. Milam said it allows threat hunters to see the original source code, making it easier to identify and remove from a network.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed is the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He has written extensively about ransomware, election security, and the federal government's role in assisting states, localities and higher education institutions with information security.

Latest Podcasts