Linux is increasingly targeted by ransomware. Researchers have now detected indications that the PYSA ransomware, often also known as Mespinoza, is also being readied for Linux targets.
PYSA, first detected in December 2019, is thought to be an evolution of Mespinoza, first detected in October 2019. The PYSA acronym stands for ‘Protect Your System Amigo’. So far it has largely been used against Windows systems in the education, healthcare, and government sectors. The FBI issued an alert on PYSA in March 2021.
It is commonly used with the ChaChi Golang-based backdoor. ChaChi is used to locate and exfiltrate data before the PYSA ransomware is activated in a double extortion attack. Researchers at Lacework, a firm that automates security across cloud deployments, now believe that PYSA should be added to the growing list of ransomware that targets Linux.
On July 1, 2021, Alien Labs reported that new samples of REvil ransomware targeting Linux systems had been detected. “REvil ransomware authors have expanded their arsenal to include Linux ransomware, which allows them to target ESXi and NAS devices,” it wrote.
On July 14, 2021, the MalwareHunterTeam disclosed on Twitter, that “the Linux version of HelloKitty ransomware was already using esxcli at least in early March for stopping VMs…”
In August 2021, Malwarebytes found a Linux ELF64 encryptor tied to BlackMatter, the group thought to have grown out of the earlier DarkSide group (best known for its attack on Colonial Pipeline). Analysis determined that the malware is designed to target VMWare ESXi servers.
Lacework researchers now report ‘with moderate confidence’ that its research “represents the PYSA actor expanding into targeting Linux hosts with ChaChi backdoor.” In June 2021, a report from the BlackBerry Research and Intelligence Team demonstrated the PYSA/ChaChi connection.
No Linux version of PYSA or ChaChi has yet been found in the wild. Lacework’s conclusions come from the discovery of a customized Linux variant of ChaChi on VirusTotal. While the new variant shares characteristics with its Windows counterpart, the researchers note, “A distinguishing characteristic of the Linux version was the presence of debug output containing datetime data.” Its newness is confirmed by just one of the 61 AV engines on VirusTotal detecting it as malware.
This leads the Lacework researchers to believe that the discovered version may have been still in its testing phase. This opinion is strengthened by the observation that the greater part of the ChaChi infrastructure has been parked or offline since June 23-24, 2021. Lacework suspects that the PYSA ransomware is going through a similar process of development into a Linux variant.
Ultimately, this is all circumstantial evidence. Nevertheless, the combination of a trend towards Linux ransomware, the discovery of PYSA’s ChaChi exfiltration tool being redeveloped for Linux, and the current inactivity of the ChaChi infrastructure all point towards PYSA being readied for use against Linux targets. If this proves correct, we can expect to see some PYSA-based big game hunting double extortion ransomware attacks in the coming weeks or months.
Lacework, headquartered in Silicon Valley, was founded in January 2015 by Mike Speiser, Sanjay Kalra, and Vikram Kapoor. It raised $525 million in a Series D funding round in January 2021, bringing the total raised to date to $599 million.