ChaiChi Malware Is Spreading Ransomware In The Education Sector

Ransomware In Schools

ChaiChi Malware Is Spreading Ransomware In The Education Sector

If you are a business that regularly transacts with educational organizations, you need to be aware of ChaiChi Malware, the latest ransomware threat to hit the education sector. ChaiChi is a RAT developed by the PYSA ransomware group. The group uses the malware to create backdoors in all types of education-oriented institutions to steal data or lock files before extorting the victims. This piece focuses on the new threat and how organizations can guard against an attack.

Tracing the Roots of ChaiChi

ChaiChi first hit the scene in March 2020 a poorly designed malware that could not escape the snares of standard software-based security protocols. However, the PYSA ransomware group has been performing several updates that have dramatically increased its capabilities and turned it into one of the most lethal malware in recent times. So serious is the ChaiChi threat that it has attracted the attention of the FBI.

According to BlackBerry Threat Research and Intelligence, the new ChaiChi has transformed from the earlier poorly designed variant with low-level capabilities into a sophisticated malware with capabilities to perform a range of traditional RAT actions. The latest malware variant can carry out several actions such as, backdoor creation, data exfiltration and credential dumping from the Windows Local Security Authority Subsystem Service (LSASS).

Currently, ChaChi is written in Go, a relatively new language, which makes it quite hard to detect and prevent malware. It also leverages gobfuscate, a powerful obfuscation tool that makes detection of the code such a fruitless task.

Why Does ChaiChi Malware Target the Education Sector?

The FBI started tracking the activities of ChaiChi in March 2020 and has so far noted a massive increase of the malware’s targets both in the USA and the UK. The first ChaiChi was deployed against the French local government authorities in March 2020. By March 2021, exactly one year later, the group had escalated its threat by targeting several educational institutions in 12 US states. According to the BlackBerry Threat Research and Intelligence SPEAR Team, the gang preferentially target organizations in the education and healthcare sector for the following reasons:

  • Sensitive data: Organizations in the education and healthcare sector typically handle vast amounts of sensitive data. Such data carries a substantial amount of value on the dark web compared to data from other industries.
  • Legacy systems: Some institutions in the education and healthcare sector maintain older legacy systems with undiscovered or undisclosed vulnerabilities. Attackers typically focus on these vulnerabilities. Additionally, most legacy systems are no longer supported by their developers, leaving them vulnerable to threats.
  • Lack of data backup: Researchers also noted schools and hospitals with no data backup are more prone to ChaiChi malware. Lack of data backup means persuading such an institution to pay the ransom is a lot easier once an attack has been executed successfully.
  • Poor email filtering: Educational organizations lack the resources or skills to integrate email filtering systems. Utilizing an email filtering system can help organizations avoid falling prey to ChaiChi malware. PYSA ransomware group can slyly embed the malware into spam emails that can do severe damage if opened. Email filters can provide a quick yet dependable guard against such malicious emails by capturing spam messages and quarantining them.
  • Unpatched systems: Unpatched computers on a LAN are easy targets of cybercriminals due to software vulnerabilities. Patching computers involves providing software updates to address these vulnerabilities. Once you introduce patch management into your system, your computers will regularly update to ensure the system is operating securely. Unpatched computers are more vulnerable to security threats that exploit software and operating system weaknesses due to the virus introduced to the system.
  • Nature of education environment: According to researchers, attackers are focusing heavily on educational organizations because educational environments have a heavy cultural emphasis on information sharing. The sheer amount of traffic from students living on campus also makes educational institutions an easy target. Additionally, most students have little regard or knowledge about cybersecurity practices and may easily fall victim to suspicious emails and programs.

How to Guard Against Malware

Install anti-spyware

Install antivirus or anti-spyware software to help identify and remove the malware. However, for these tools to be effective, ensure they are regularly updated. Additionally, audit all your files regularly for missing data errors and unauthorized additions.

Secure your authentication methods

Use a strong password of at least eight characters to secure your authentication methods. These characters should include uppercase letters, lowercase letters, numbers, and symbols. You can also use biometric tools such as fingerprints, voiceprints, facial recognition, and iris scan to authenticate the systems. Additionally, avoid saving passwords on a computer.

Keep software updated

All software is prone to malware attacks. However, software vendors regularly provide patches and updates that effectively close new vulnerabilities that may show up. A good practice is to validate and install all new software patches. In a nutshell, ensure you regularly update your operating system, software tools, plugins, and browsers.

Control access to systems

You should also regulate access to your networks to guard against data breaches. You can achieve this by installing or implementing a firewall, intrusion prevention system (IPS), and intrusion detection system (IDS). You should also avoid using unfamiliar remote drives or media used on a publicly accessible device. Additionally, close all unused ports and disabled unused protocols, and remove all inactive user accounts that may serve as an entry point for actors.

Limit application privileges

A ChaiChi malware actor only needs a single open door to infiltrate your organization. Restrict application privileges in your devices to limit the number of possible entryways. Run only applications features and functions that are crucial to your operations.

Implement email security and spam protection

Although email is a crucial communication tool for most organizations, it is also a common malware channel. You can minimize the risk of infection by scanning all incoming email messages for malware. You can also set up spam filters to prevent malicious emails and limit user access to only company-approved links, messages, and email addresses.

Educate your users

Ideally, people in an organization are the best line of defense. One way to win the war against ransomware is by continually educating users, including staff and students, on the tactics that actors deploy to access networks. Keep all users up to date on fundamental cybersecurity trends and best practices.

Seek Professional Cyber Security Help

Ransomware infections can be devastating for educational organizations. Apart from interrupting workflows and stealing your crucial data, ChaiChi malware can result in substantial financial losses and reputational damage. The risks that the malware poses are so severe that the FBI warns the organizations ignoring the threat are doing so at their own risk.  At WPG, we offer an array of cybersecurity services to proactively defend your business from hacking. Contact us today for more details about our solutions.

Picture of Hitesh Patel
Hitesh Patel
Hitesh Patel is an engineer turned business owner of WPG Consulting. He is a techie enthusiast who believes in finding creative IT solutions to solve consumer problems.

IT Services You Can Count on WPG Consulting​

Managed IT Services

Cyber Security

Cloud Computing

Project Management

Disaster Recovery Planning

VoIP Services

IT Engineering

Strategic IT Consulting

Desktop IT Support

Software & eCommerce Development


Discover how can WPG Consulting help you?