Connect with us

Hi, what are you looking for?


Malware & Threats

Get Ready for PYSA Ransomware Attacks Against Linux Systems

Linux is increasingly targeted by ransomware. Researchers have now detected indications that the PYSA ransomware, often also known as Mespinoza, is also being readied for Linux targets.

Linux is increasingly targeted by ransomware. Researchers have now detected indications that the PYSA ransomware, often also known as Mespinoza, is also being readied for Linux targets.

PYSA, first detected in December 2019, is thought to be an evolution of Mespinoza, first detected in October 2019. The PYSA acronym stands for ‘Protect Your System Amigo’. So far it has largely been used against Windows systems in the education, healthcare, and government sectors. The FBI issued an alert on PYSA in March 2021.

It is commonly used with the ChaChi Golang-based backdoor. ChaChi is used to locate and exfiltrate data before the PYSA ransomware is activated in a double extortion attack. Researchers at Lacework, a firm that automates security across cloud deployments, now believe that PYSA should be added to the growing list of ransomware that targets Linux.

On July 1, 2021, Alien Labs reported that new samples of REvil ransomware targeting Linux systems had been detected. “REvil ransomware authors have expanded their arsenal to include Linux ransomware, which allows them to target ESXi and NAS devices,” it wrote.

On July 14, 2021, the MalwareHunterTeam disclosed on Twitter, that “the Linux version of HelloKitty ransomware was already using esxcli at least in early March for stopping VMs…”

In August 2021, Malwarebytes found a Linux ELF64 encryptor tied to BlackMatter, the group thought to have grown out of the earlier DarkSide group (best known for its attack on Colonial Pipeline). Analysis determined that the malware is designed to target VMWare ESXi servers.

Lacework researchers now report ‘with moderate confidence’ that its research “represents the PYSA actor expanding into targeting Linux hosts with ChaChi backdoor.” In June 2021, a report from the BlackBerry Research and Intelligence Team demonstrated the PYSA/ChaChi connection.

Advertisement. Scroll to continue reading.

No Linux version of PYSA or ChaChi has yet been found in the wild. Lacework’s conclusions come from the discovery of a customized Linux variant of ChaChi on VirusTotal. While the new variant shares characteristics with its Windows counterpart, the researchers note, “A distinguishing characteristic of the Linux version was the presence of debug output containing datetime data.” Its newness is confirmed by just one of the 61 AV engines on VirusTotal detecting it as malware.

This leads the Lacework researchers to believe that the discovered version may have been still in its testing phase. This opinion is strengthened by the observation that the greater part of the ChaChi infrastructure has been parked or offline since June 23-24, 2021. Lacework suspects that the PYSA ransomware is going through a similar process of development into a Linux variant.

Ultimately, this is all circumstantial evidence. Nevertheless, the combination of a trend towards Linux ransomware, the discovery of PYSA’s ChaChi exfiltration tool being redeveloped for Linux, and the current inactivity of the ChaChi infrastructure all point towards PYSA being readied for use against Linux targets. If this proves correct, we can expect to see some PYSA-based big game hunting double extortion ransomware attacks in the coming weeks or months.

Lacework, headquartered in Silicon Valley, was founded in January 2015 by Mike Speiser, Sanjay Kalra, and Vikram Kapoor. It raised $525 million in a Series D funding round in January 2021, bringing the total raised to date to $599 million.

Related: Thousands of Sites Infected With Linux Encryption Ransomware

Related: CISA, FBI Warn of Increase in Ransomware Attacks on Holidays

Related: Double Extortion: Ransomware’s New Normal – Encryption & Data Theft

Related: Colonial Pipeline Confirms Personal Information Impacted in Ransomware Attack

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.