Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Get Ready for PYSA Ransomware Attacks Against Linux Systems

Linux is increasingly targeted by ransomware. Researchers have now detected indications that the PYSA ransomware, often also known as Mespinoza, is also being readied for Linux targets.

Linux is increasingly targeted by ransomware. Researchers have now detected indications that the PYSA ransomware, often also known as Mespinoza, is also being readied for Linux targets.

PYSA, first detected in December 2019, is thought to be an evolution of Mespinoza, first detected in October 2019. The PYSA acronym stands for ‘Protect Your System Amigo’. So far it has largely been used against Windows systems in the education, healthcare, and government sectors. The FBI issued an alert on PYSA in March 2021.

It is commonly used with the ChaChi Golang-based backdoor. ChaChi is used to locate and exfiltrate data before the PYSA ransomware is activated in a double extortion attack. Researchers at Lacework, a firm that automates security across cloud deployments, now believe that PYSA should be added to the growing list of ransomware that targets Linux.

On July 1, 2021, Alien Labs reported that new samples of REvil ransomware targeting Linux systems had been detected. “REvil ransomware authors have expanded their arsenal to include Linux ransomware, which allows them to target ESXi and NAS devices,” it wrote.

On July 14, 2021, the MalwareHunterTeam disclosed on Twitter, that “the Linux version of HelloKitty ransomware was already using esxcli at least in early March for stopping VMs…”

In August 2021, Malwarebytes found a Linux ELF64 encryptor tied to BlackMatter, the group thought to have grown out of the earlier DarkSide group (best known for its attack on Colonial Pipeline). Analysis determined that the malware is designed to target VMWare ESXi servers.

Lacework researchers now report ‘with moderate confidence’ that its research “represents the PYSA actor expanding into targeting Linux hosts with ChaChi backdoor.” In June 2021, a report from the BlackBerry Research and Intelligence Team demonstrated the PYSA/ChaChi connection.

No Linux version of PYSA or ChaChi has yet been found in the wild. Lacework’s conclusions come from the discovery of a customized Linux variant of ChaChi on VirusTotal. While the new variant shares characteristics with its Windows counterpart, the researchers note, “A distinguishing characteristic of the Linux version was the presence of debug output containing datetime data.” Its newness is confirmed by just one of the 61 AV engines on VirusTotal detecting it as malware.

This leads the Lacework researchers to believe that the discovered version may have been still in its testing phase. This opinion is strengthened by the observation that the greater part of the ChaChi infrastructure has been parked or offline since June 23-24, 2021. Lacework suspects that the PYSA ransomware is going through a similar process of development into a Linux variant.

Ultimately, this is all circumstantial evidence. Nevertheless, the combination of a trend towards Linux ransomware, the discovery of PYSA’s ChaChi exfiltration tool being redeveloped for Linux, and the current inactivity of the ChaChi infrastructure all point towards PYSA being readied for use against Linux targets. If this proves correct, we can expect to see some PYSA-based big game hunting double extortion ransomware attacks in the coming weeks or months.

Lacework, headquartered in Silicon Valley, was founded in January 2015 by Mike Speiser, Sanjay Kalra, and Vikram Kapoor. It raised $525 million in a Series D funding round in January 2021, bringing the total raised to date to $599 million.

Related: Thousands of Sites Infected With Linux Encryption Ransomware

Related: CISA, FBI Warn of Increase in Ransomware Attacks on Holidays

Related: Double Extortion: Ransomware’s New Normal – Encryption & Data Theft

Related: Colonial Pipeline Confirms Personal Information Impacted in Ransomware Attack

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.